What are the pros and cons of using Yii QueryBuilder (or any other types of query builders) to construct actual queries instead of just writing out the queries?
From guide:
The Query Builder is best used when you need to assemble a SQL statement procedurally, or based on some conditional logic in your application. The main benefits of using the Query Builder include:
It allows building complex SQL statements programmatically.
It automatically quotes table names and column names to prevent conflict with SQL reserved words and special characters.
It also quotes parameter values and uses parameter binding when possible, which helps reduce risk of SQL injection attacks.
It offers certain degree of DB abstraction, which simplifies migration to different DB platforms.
Related
According to Node.js' mysql package documentation:
In order to avoid SQL Injection attacks, you should always escape any user provided data before using it inside a SQL query. You can do so using the mysql.escape(), connection.escape() or pool.escape() methods.
I cannot find any documentation / reference to using prepared statements with mysql, except for in a reference to using '?' characters. It states the following:
Alternatively, you can use ? characters as placeholders for values you would like to have escaped...
This looks similar to prepared statements in MySQL, however it really
just uses the same connection.escape() method internally.
From my experience with talking to other developers, the general consensus in the developer community is that prepared statements are the ONLY safe way to perform mysql queries from Node.js however, as you can see with the mysql package, there is no obvious support for prepared statements. However, it is indicated that their method for avoiding SQL injection is via the usage of the escape functions.
My Question:
Are the escape functions in the mysql package sufficient enough to securely query a mysql database (without the use of prepared statements)?
Escaping is actually just as safe as using parameterized queries, if you do it consistently.
But it's recommended to use parameters because it makes your code simpler. Therefore developers are probably more likely to do it.
If the Node.js library makes it just as convenient as parameters, but implements it internally by modifying query strings, replacing the ? marks with the parameter values, then you're good.
For what it's worth, Python's MySQL driver does this too, and also PHP's PDO extension when the "emulate prepares" option is in effect. As long as those libraries are well-tested, it should be safe.
FWIW, both escaping and parameters is limited in SQL injection prevention, because in both cases, you can only protect values that you would combine with your SQL query. You cannot protect identifiers (like table names, or column names), or SQL keywords, or expressions, etc. In these cases, just be careful that you have vetted any dynamic content before combining it with your SQL query.
See also:
Preventing SQL injection in Node.js
Difference between real_escape_string and prepare()?
I want to know difference between Mysql Query and Hibernate Query. Anybody know give your Suggestion
There is a world of difference between the two. I will try my best to explain it to you.
For writing a MySQL query, you need to think in terms of tables, whereas for a Hibernate query, you need to think in terms of objects.
If you have MySQL queries embedded in your Java code, when you try to switch your database to a different one (say Oracle for example), your queries may not work anymore. This is because different db vendors have different syntax's that they need you to use to accomplish the same goal.
However, in the case of a Hibernate query, you will need to just change the appropriate property in the hibernate configuration file. Since you write queries in terms of objects, Hibernate will automatically generate the appropriate SQL it requires to work with the underlying db.
Also, one another major difference between the two (or between Hibernate and a specific db query language) is the way joins are done. We can use the dot operator in Hibernate Query Language (HQL) to access the properties of a component object without needing to explicitly specify a JOIN clause as we would in a specific query language.
Besides this, there are tons of differences between the two and in no way can all of them be summarized here.
I mean for security. Does converting to/from JSON objects help any with MySQLi?
My intention is to use MySQLi statements and send/receive everything as JSON objects (in order to in the future allow Android to use the same calls and queries.)
My only focus on this question is the security side of it. Do I need prepared statements if I'm converting everything to and from JSON objects for a MySQL database.
It doesn't matter what kind of data you are storing in the database. To prevent against SQL injection you need to parameterize all variable input in your SQL. It makes no difference where this data comes from. It doesn't matter what it is.
There is no reason not to use prepared statements. Seriously, not a single reason why you should not use prepared statements 100% of the time, even for constant queries.
Remember though, that prepared statements do not protect against SQL injection. Only the parameters help. Use placeholders in your SQL and bind the data separately. Do this always.
I am using mysqli prepared statements and bound variables.
Then to prevent sql injection, am I need to do anything else(eg: data type validation, filtering, sanitize, string escape etc ) with user input ?
Is there any other way of attacking MySql database other than Sql Injection ?
To prevent SQL injection you have to format your query properly.
Every literal that have to be added to the query dynamically, have to be properly formatted.
Not only data literals like strings and numbers but all of them, including operators and identifiers.
The only proper way to make values formatted is prepared statements.
For the identifiers and operators you will need also filtering, to let only allowed ones into query.
Whatever user input should not be involved at all. It's destination, not source that matters.
Is there any other way of attacking MySql database other than Sql Injection ?
sure thing. But the topic is too broad to make you secured by means of a forum post. Better hire a DBA.
I know with dynamic linq you can construct expressions dynamically in the same way that you might build and execute a dynamic SQL statement - e.g. a dynamic where clause or a dynamic select list. Is it possible to do this in cases where the schema is not known at compile time?
In a database I'm working with users can define their own entities which causes new tables/columns to be created in the back-end database. At run time I'll know the table & column names I need to work with but I won't know the schema at compile time hence I can't build a DBML to work with up front.
Is there any facility for the dynamic discovery of the schema at run time or is this a case where I need to stick with building dynamic SQL statements?
As far as we understand, you don't know neither schema name nor the full structure of your schema for sure.
In this case it seems that the strongly-typed ExecuteQuery method overload will be an option.
Just write the SQL queries and add the necessary parameters (like table and column names) either using string concatenation or as parameters.