As it currently stands, this question is not a good fit for our Q&A format. We expect answers to be supported by facts, references, or expertise, but this question will likely solicit debate, arguments, polling, or extended discussion. If you feel that this question can be improved and possibly reopened, visit the help center for guidance.
Closed 11 years ago.
I'm developing a new application and i want to test if it's vulnerable. I know some common attacks, but maybe you can provide some more to make my app safer.
Thanks!
Check out this post: http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/
Also there's a Firefox add-on named SQL Inject Me but right now it doesn't work with Firefox 6
There's no reason to test for multiple attack vectors. Simply passing the character used to quote strings (usually,') should cause a syntax error if its open to SQL injection -- unless you have an IDS or some signature-based detection standing in your way.
Always escape your variables with the proper function (for example, $pdo->quote() or mysql_real_escape_string(), depending on which extension you are using)
Use prepared statements as much as possible
Never escape your variables too early, or you will never know whether they are escaped or not. Just escape them the most lately possible, and always consider that they are not escaped.
Properly set the connection encoding
If you follow this you are not vulnerable to SQL injection (provided that you don't forget to escape something).
Related
As it currently stands, this question is not a good fit for our Q&A format. We expect answers to be supported by facts, references, or expertise, but this question will likely solicit debate, arguments, polling, or extended discussion. If you feel that this question can be improved and possibly reopened, visit the help center for guidance.
Closed 9 years ago.
I've been getting acquainted with the Zend and Yii frameworks and am trying to understand the benefits of using some of their built-in methods to perform MYSQL queries. While I definitely see the benefits of using their classes to connect to the database, and to do things such as insert/update, I'm trying to understand the benefit of using objects for SELECTing from the database, as it seems to just obscure the MYSQL statement when the queries are complicated. Is there any benefit, or is it just a matter of preference?
First, i'm not a Zend or even a PhP developer, but I would say that your already pointed out the biggest advantage : "obscuring" the SQL; That way you're not tight with 1 specific DBMS. For example, you don't select a range the same way in mysql and sql server. So let's suppose you switch from the one to the other, if you're not using the framework objects for doing your queries, you may need to rewrite it.
If you use the framework, you'll probably only have to switch database connectors (or whatever they're called in the framework).
As it currently stands, this question is not a good fit for our Q&A format. We expect answers to be supported by facts, references, or expertise, but this question will likely solicit debate, arguments, polling, or extended discussion. If you feel that this question can be improved and possibly reopened, visit the help center for guidance.
Closed 10 years ago.
I've just started creating my first MVC website; what's the best practice to prevent hacking on my (site as cross site, SQL injection, etc.)?
I'm worried about uploading the site without security, I've encountered an actual injection before using cross site injection. How can I protect the site, can I encrypt the source asp page HTML design?
have a look at this getting started with MVC3 guide, it covers both MVC3 and EntityFramework, there are also some notes on security considerations.
Use something like Entity Framework or NHibarnate to prevent SQL injections. That are very powerfool tools for working with database.
Other security questions you must solve as other frameworks too.For ASP. NET MVC I find some article here, take a look at this
For cross domain you can probably generate key for every request and store that in Session and then check with that generated key.
As it currently stands, this question is not a good fit for our Q&A format. We expect answers to be supported by facts, references, or expertise, but this question will likely solicit debate, arguments, polling, or extended discussion. If you feel that this question can be improved and possibly reopened, visit the help center for guidance.
Closed 11 years ago.
I have a big query which is all written in small letters.
Is there any way to automatic switch only the commands in capital without editing them manually?
Also If can auto alignment the text would be helpful too.
Many Online Editors are available
After Googling for online sql formatter I found this useful
http://www.dpriver.com/pp/sqlformat.htm
If you want IDE then this would be best option, Toad
phpMyAdmin capitalizes MySQL commands and add line-breaks, but doesn't indent nested selects or joins.
SQLyog does capitalisation, can't remember about indenting
As it currently stands, this question is not a good fit for our Q&A format. We expect answers to be supported by facts, references, or expertise, but this question will likely solicit debate, arguments, polling, or extended discussion. If you feel that this question can be improved and possibly reopened, visit the help center for guidance.
Closed 11 years ago.
As i know about Both Sqlserver and Oracle are Database Systems.
1. In case of Sql server, we can work with multiple databases at once.
Is their any other difference between oracle and sql server.
Check out this comparison of databases, there are quite a few differences.
They both store data, but apart from that they are like chalk and cheese - they are massively different in a lot of ways.
Oracle can be used as a small database system, but is more aimed at the enterprise data storage level, whereas SQL Server is more commonly used at the lower end of the data storage market (although they also have a very good enterprise level product).
I suggest you just start with the Wikipedia entries, then if you have more specific questions come back and ask them.
Oracle
SQL Server
P.S. Even though I tendered an answer, I'm voting to close this as the question is way too broad in scope.
As it currently stands, this question is not a good fit for our Q&A format. We expect answers to be supported by facts, references, or expertise, but this question will likely solicit debate, arguments, polling, or extended discussion. If you feel that this question can be improved and possibly reopened, visit the help center for guidance.
Closed 10 years ago.
Is it a best practice to validate JSON?
With both a JSON schema proposal and a JavaScript implementation of a JSON Schema validator, this practice would seem relatively frictionless to implement. So, is it a no-brainer that should be part of any robust application? Or do you employ other preferred strategies to handle bad JSON?
On the server, validation of data coming from outside is a must.
In the browser, it is redundant from a security POV, if you can vouch that the JSON is generated by server code you control and that any data it depends on has been validated on the server. Even so it can still be useful for debugging.
My 2c on this is that:
(a) Yes, obviously incoming data should be validated, but
(b) The best place to do this is NOT with Json data as is, but with actual business logic objects, iff data binding is used. JSON validation makes only sense if you handle "raw" JSON, but most services (at least in Java) use data binding first and then operate on biz logic objects, not on data format (which often is almost an implementation detail)