This question already has an answer here:
Is a SQLAlchemy query vulnerable to injection attacks?
(1 answer)
Closed last year.
Simple question, but I just want to be sure of the answer: using Flask-SQLAlchemy, is this safe (where searchstring comes directly from the user?)
results = MyClass.query.filter(MyClass.MyProperty.ilike('%{}%'.format(searchstring)))
SQLAlchemy is good but you should avoid raw SQL as much as possible. In your case it does not look that it is prone to SQL Injection but my 2 cents is to avoid raw SQl as much as possible.
Also refer: Is a SQLAlchemy query vulnerable to injection attacks?
Related
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 8 years ago.
Improve this question
Okay so basically I'm a little bit stumped. This question is regarding the JDBC driver. Basically we own a server that is hosted on this driver, and it's running MYSQL. We are using coldfusion as our language of choice. We have a GET parameter ?lang= and injecting the character '\' into it prompts the error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near and no other character causes this error. I am sort of worried here. Can anyone tell me how an attacker would approach an sql injection attack into this parameter? So I can understand how I can filter it because in my code I am properly filtering preg_match on \ character and yet I still get this error. How would I be able to inject this parameter? Can someone point me to a guide or something, or if it's even possible. Just so I can rest in piece assuming it's not. But anyhow if this information is necessary the mysql version is 5.1.30 and the exact driver name is MySQL-AB JDBC Driver. Thanks for taking your time to help me out!
\ can be an escape character in mysql.
For example, an attacker could use the \b sequence to delete portions of your query and rewrite with their own injected sql.
The most reliable way to prevent sql injection attacks is to use parametrized queries.
See also:
Mysql character escape sequences
Preventing Sql Injection in Java
Using prepared statements
Also be aware that in many databases (not absolutely sure about the JDBC/Mysql combination) it is also possible to "inject" a wildcard character into a sql LIKE clause, even with a parametrized query. "Injection" in this particular case is not always a problem - in fact, in many cases it may be exactly the desired behavior. However, it can be a problem, if for example, you were doing something horrid like SELECT * FROM Users WHERE UserName LIKE #userInput AND Password LIKE #passwordInput (which would allow anyone to log in simply by inputing the % wildcard character on the screen for both fields).
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 9 years ago.
Improve this question
I want to secure all my inputs to my database. I have written follow function:
function mysql_real_escape_array($t){
return array_map("mysql_real_escape_string",$t);
}
In a file which get loaded by all my php datas i have written:
$_POST=mysql_real_escape_array($_POST);
I think i dont have any disadvantages trough this dirty code and there is no malicious query possible. Or does somebody thinks, that is have any disadvantages trough this code?
Would be happy to hear some feedback. I know it is maybe not the best solution, but in this way i can never forget to escape something.
Thanks!
The only way to surely protect against injection is to use properly parameterized queries. All parameters to queries have vulnerabilities and must be properly escaped. This is not just to prevent malicious injection, but to prevent accidental injection. For example, you could have:
SELECT value FROM t1
$value = $result; //$value is now "o'connel"
// SQL error caused by apostrophe in string
SELECT col FROM t2 WHERE value = '$value'
You may consider this data safe because it is internal, but it can still cause a problem by not being properly escaped.
About overwriting $_POST, note that you can still get the raw post body as well as $_POST values from $_REQUEST, so there is no way to assure that your data is properly escaped. What's more is that mysql_real_escape_string may not have a valid mysql connection when you need to use it. This can cause problems and vulnerabilities. $_POST values can also be arrays, so your function would need to be recusive too.
It's much easier to forget all those considerations and use parameterized queries with PDO or mysqli. Note that using prepared statements is not enough in and of itself. You have to properly parameterize the queries.
Use Prepared Statements either via PDO or MySQLi. This is the only approach that is really secure and doesn't hurt performance.
I am using mysqli prepared statements and bound variables.
Then to prevent sql injection, am I need to do anything else(eg: data type validation, filtering, sanitize, string escape etc ) with user input ?
Is there any other way of attacking MySql database other than Sql Injection ?
To prevent SQL injection you have to format your query properly.
Every literal that have to be added to the query dynamically, have to be properly formatted.
Not only data literals like strings and numbers but all of them, including operators and identifiers.
The only proper way to make values formatted is prepared statements.
For the identifiers and operators you will need also filtering, to let only allowed ones into query.
Whatever user input should not be involved at all. It's destination, not source that matters.
Is there any other way of attacking MySql database other than Sql Injection ?
sure thing. But the topic is too broad to make you secured by means of a forum post. Better hire a DBA.
I'm building a C application, and for the first time using the MySQL API. I did a little research before I began building my application and stumbled upon this SO question, which talks about not putting user data directly into queries and instead using prepared statements to overcome the possibility of SQL injection - which is just fine and dandy.
I've come round to actually coding my application and I feel like I want to slit my wrists. I haven't used prepared statements before (it's so different to what I'm used to doing normally in my other favourite language, PHP - I'm so used to just writing SQL and escaping data). It so happens that I've also stumbled across the function mysql_real_escape_string. My question is - is it just as safe to escape data in an SQL query (an example below) as it is in a prepared statement?
mysql_real_escape_string(dbc, sBuf, sUserInputData, strlen(sUserInputData));
sprintf(sQuery, "SELECT * FROM `sessions` WHERE `SessionID`='%s';", sBuf);
This question already has answers here:
Closed 11 years ago.
Possible Duplicate:
Differences Between MySql and MS SQL
What is the key difference between MySQL and SQL Server from the SQL language perspective. The reason why I am asking is that I need to quickly master some basic SQL knowledge and need to find a book to start with.
I find this one through amazon.com Learning SQL, 2nd Edition, however, this book is for MySQL. All other books for MS SQL are big one that cannot be finished in a short time.
So, it is fine I just grab a MySQL book and later I can easily transfer to MS SQL world or I should immediately go into MS SQL Server?
// update the title based on the comments ///
The following links might help you out.
Note that the two are very different.
If you want to make your live easy, use PostgreSQL, the gap between that and SQL-server is much smaller.
Difference between MySQL and MSSQL
From microsoft and mysql respectively:
http://technet.microsoft.com/en-us/library/cc966396.aspx
http://www.mysql.com/why-mysql/white-papers/mysql_wp_mssql2mysql.php (login required sorry)
On stackoverflow: Differences between MySQL and SQL Server
Difference between PostgreSQL and MySQL
http://www.wikivs.com/wiki/MySQL_vs_PostgreSQL
Difference between postgreSQL and MSSQL
On SO: https://stackoverflow.com/questions/907908/postgres-to-sql-server
and: https://stackoverflow.com/questions/4630891/tips-for-sql-server-developer-picking-up-postgresql
Diff between all three :-)
http://www.postgresonline.com/journal/archives/51-Cross-Compare-of-SQL-Server,-MySQL,-and-PostgreSQL.html
or http://troels.arvin.dk/db/rdbms/
This might be a good tutorial to start with SQL - http://philip.greenspun.com/sql/ (rather old, but valid) - though it points more to Oracle, but MySQL is mentioned there.