Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 6 years ago.
Improve this question
I want to write custom queries using Sequelize, and as far as possible avoid potential issues with SQL Injection. My question is therefore if there exists a secure way of writing custom queries with inserted variables using Sequelize?
Sequelize escapes replacements, which avoids the problem at the heart of SQL injection attacks: unescaped strings. It also supports binding parameters when using SQLite or PostgreSQL, which alleviates the risk further by sending the parameters to the database separately to the query, as documented here:
Bind parameters are like replacements. Except replacements are escaped
and inserted into the query by sequelize before the query is sent to
the database, while bind parameters are sent to the database outside
the SQL query text. A query can have either bind parameters or
replacements.
Only SQLite and PostgreSQL support bind parameters. Other dialects
will insert them into the SQL query in the same way it is done for
replacements. Bind parameters are referred to by either $1, $2, ...
(numeric) or $key (alpha-numeric). This is independent of the dialect.
Related
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 6 years ago.
Improve this question
Mysql Delete query VS Mysql Triggers (which is fast option?)
Triggers if you want your DBA to be in control of the code.
Query if you want your programmers to be in control of the code.
To clarify:
If it's a trigger, then the implication is that it's part of the database design for things to work that way. i.e. the structure of the database depends on it working that way.
If it's query code, then the implication is that the action is part of your business logic, and not critical to the core structure of the DB.
As mentioned before, they are different things. From MSDN: "A trigger is a special kind of stored procedure that automatically executes when an event occurs in the database server"; whereas a DELETE is a DML statement, that is, statement to manipulate database records. In this case, used for removing database records from a table or view.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 7 years ago.
Improve this question
Today i learned how to create stored procedures in MySQL.
DELIMETER //
CREATE PROCEDURE new(IN first INT)
BEGIN
SELECT * FROM table WHERE first_id= first;
END //
Lets say i created this and called it from PHP; CALL new('4');
or i wrote my sql command directly into PHP
$mysqli->query("SELECT * FROM table WHERE first_id= $first");
I have 20 sql commands in my PHP and i am doing them copy past into phpmyadmin as stored procedures. they are not descreasing. Now what i gain from stored procedure? Just a few letter? or??? Thanks for help.
Stored procedures are a good way for building a clean abstraction layer between what is going on in the database and your server side logic. In addition a stored procedure allows that you specify exactly what kind of data you are expexting (data type and possibly length) which can help to improve security in your application (at least at this "access data from database"-point).
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 8 years ago.
Improve this question
If the database used by a server is something other than MySQL, say Mongo DB, then is it possible to execute SQL queries? In such cases how can we perform SQL injection?
I don't expect all the possible commands, but some basic commands if the app is using, say MongoDB.
Yes. This type of attack is possible with any data source which parses queries. In the case of MongoDB, the queries are written in JavaScript instead of SQL but if you build your query like this:
String query = "db.users.find({ age: " + request.getParameter("age") + " });"
then you open the database to similar kinds of attacks.
This is nosql injection, and it is possible.
https://www.owasp.org/index.php/Testing_for_NoSQL_injection
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 8 years ago.
Improve this question
Okay so basically I'm a little bit stumped. This question is regarding the JDBC driver. Basically we own a server that is hosted on this driver, and it's running MYSQL. We are using coldfusion as our language of choice. We have a GET parameter ?lang= and injecting the character '\' into it prompts the error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near and no other character causes this error. I am sort of worried here. Can anyone tell me how an attacker would approach an sql injection attack into this parameter? So I can understand how I can filter it because in my code I am properly filtering preg_match on \ character and yet I still get this error. How would I be able to inject this parameter? Can someone point me to a guide or something, or if it's even possible. Just so I can rest in piece assuming it's not. But anyhow if this information is necessary the mysql version is 5.1.30 and the exact driver name is MySQL-AB JDBC Driver. Thanks for taking your time to help me out!
\ can be an escape character in mysql.
For example, an attacker could use the \b sequence to delete portions of your query and rewrite with their own injected sql.
The most reliable way to prevent sql injection attacks is to use parametrized queries.
See also:
Mysql character escape sequences
Preventing Sql Injection in Java
Using prepared statements
Also be aware that in many databases (not absolutely sure about the JDBC/Mysql combination) it is also possible to "inject" a wildcard character into a sql LIKE clause, even with a parametrized query. "Injection" in this particular case is not always a problem - in fact, in many cases it may be exactly the desired behavior. However, it can be a problem, if for example, you were doing something horrid like SELECT * FROM Users WHERE UserName LIKE #userInput AND Password LIKE #passwordInput (which would allow anyone to log in simply by inputing the % wildcard character on the screen for both fields).
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 9 years ago.
Improve this question
I want to secure all my inputs to my database. I have written follow function:
function mysql_real_escape_array($t){
return array_map("mysql_real_escape_string",$t);
}
In a file which get loaded by all my php datas i have written:
$_POST=mysql_real_escape_array($_POST);
I think i dont have any disadvantages trough this dirty code and there is no malicious query possible. Or does somebody thinks, that is have any disadvantages trough this code?
Would be happy to hear some feedback. I know it is maybe not the best solution, but in this way i can never forget to escape something.
Thanks!
The only way to surely protect against injection is to use properly parameterized queries. All parameters to queries have vulnerabilities and must be properly escaped. This is not just to prevent malicious injection, but to prevent accidental injection. For example, you could have:
SELECT value FROM t1
$value = $result; //$value is now "o'connel"
// SQL error caused by apostrophe in string
SELECT col FROM t2 WHERE value = '$value'
You may consider this data safe because it is internal, but it can still cause a problem by not being properly escaped.
About overwriting $_POST, note that you can still get the raw post body as well as $_POST values from $_REQUEST, so there is no way to assure that your data is properly escaped. What's more is that mysql_real_escape_string may not have a valid mysql connection when you need to use it. This can cause problems and vulnerabilities. $_POST values can also be arrays, so your function would need to be recusive too.
It's much easier to forget all those considerations and use parameterized queries with PDO or mysqli. Note that using prepared statements is not enough in and of itself. You have to properly parameterize the queries.
Use Prepared Statements either via PDO or MySQLi. This is the only approach that is really secure and doesn't hurt performance.