I have an Access database that must connect to Oracle programmatically to create a linked table. The connection string is of the form:
ODBC;Driver={Microsoft ODBC for Oracle};Pwd=<Password>;UID=<User>;Server=<Server>
Currently the login info is hardcoded.
I now have to have the tool connect to different databases. I was going to simply let the user enter the <User>, <Password>, and <Server> and then just concatenate it all together into a single connection string. I'm pretty sure this is SQL Injection safe because the connection doesn't actually exist at this point, but I'm not 100% certain - is this a valid concernt, and if so how would I sanitize these inputs (which come from free-form text fields)?
This is not called SQL Injection because the connection string doesn't allow execution of arbitrary SQL code.
If you are giving users access to the database from the desktop then SQL Injection probably isn't a very relevant concern anyway. Why would anyone bother trying to inject SQL through an application vulnerability when it's much easier for him just to create a connection himself using his valid credentials?
It appears that your concern is valid, as evidenced by the fact that ADO.NET has a set of Connection String Builder classes (though it's more accurate to call it "connection string injection" vs. "SQL injection" since there's no SQL involved). Since you're not using .NET, the next best option is input sanitization and escaping special characters. The MSDN reference on OLEDB connection string syntax states that:
To include values that contain a
semicolon, single-quote character, or
double-quote character, the value must
be enclosed in double quotes.
and
If the value contains both
single-quote and double-quote
characters, the quote character used
to enclose the value must be doubled
each time it occurs within the value.
This is a VBScript I put together which attempts to implement the two guidelines above:
Option Explicit
Dim pw, connStr, conn
pw = InputBox("Enter password")
' Sanitize double quotes in the input string
pw = Replace(pw, Chr(34), Chr(34) & Chr(34))
' Notice how pw is surrounded by double quote characters
connStr = "Provider=SQLOLEDB;Data Source=.\SQLEXPRESS;User ID=test_user;Password=" & Chr(34) & pw & Chr(34)
' Test the connection. We'll get a runtime error if it didn't work
Set conn = CreateObject("ADODB.Connection")
conn.Open connStr
conn.Close
WScript.Echo "OK!"
If my password were app"le'\, the connection string would end up as:
Provider=SQLOLEDB;Data Source=.\SQLEXPRESS;User ID=test_user;Password="app""le'\"
However, this doesn't work for all possible inputs. For example, the test script gives an error when the password contains a double quote before a semicolon. It could be that I'm interpreting the guidelines incorrectly. I'm not sure, but hopefully, this at least gets you started.
Related
I am trying to add to a table called Users in an Access database I have created. I am using the following code to do it (which has been copied from here):
import pyodbc
def createAccount():
conn = pyodbc.connect(r"Driver={Microsoft Access Driver (*.mdb, *.accdb)};DBQ=myPath\User Database.accdb;")
cursor = conn.cursor()
cursor.execute("""
INSERT INTO Users(Username, Password, Chips)
VALUES("User 5", "Pass 5", 7800)""")
conn.commit()
but I get this error:
pyodbc.Error: ('07002', '[07002] [Microsoft][ODBC Microsoft Access Driver] Too few parameters.
Expected 2. (-3010) (SQLExecDirectW)')
I've seen other posts which say to check spelling of all names used and there isn't anything wrong there. So why isn't this code working?
There are some subtle differences in default behaviour between Access SQL queries executed from within the Access application itself (MSACCESS.EXE) and queries executed from external applications via the Access ODBC driver or the Access OLEDB provider.
From within Microsoft Access itself, both double-quotes (") and single-quotes (') can be used to delimit string literals. This has been true since the earliest versions of Access.
However, the ODBC driver and OLEDB provider at least try to more closely conform to ANSI SQL, so single-quotes (') are used to delimit string literals while double-quotes (") are used to delimit table and column names. Therefore "User 5" will be interpreted as a column name or a parameter name depending on whether such a column actually exists.
On screen UI, use unbound field to enter mix of ASCII and Unicode character text string for searching. On the screen, it is correct - for example "White白色". But, on VBA code, the Unicode character of the unbound filed becomes to '?' and cannot be used for searching - "White??" for the above example. How to get the mixed ASCII and Unicode string as on the screen for VBA code?
Below is my code. Me.txName is unbound text field, fiterstr is subform filter. It works, if name is all ASCII. It will search '?', if Unicode is entered.
Dim filterstr As String
If Me.txName <> "" Then
filterstr = "(Customer.Company LIKE '*" & Me.txName & "*')"
End If
Me.sfmCustomerList4Search.Form.Filter = filterstr
With Erik A. help, this question has been solved. On my question, there are two problems.
Access Msgbox does not support unicode. Erik A. has written up an unicode-compatible messagebox-implementation MsgboxW here
Data is stored ad SQL Server while Access is front end UI. SQL collation must be setup to compatible with Unicode language. Please see See Chinese collation for MS SQL.
I was save this string to DB
{"form_5_check":"N\u00e1kladov\u00e9 stredisko"}
But in mysql db is this string:
{"form_5_check":"Nu00e1kladovu00e9 stredisko"}
Pls where are "\" lost ? Thanks a lot
MySQL treats the backslash character as an escape character. If you did something like this:
query = "INSERT INTO foo (json) VALUES ('" + json + "');
you have basically three problems:
the single backslash you have will get interpreted as an escape character, not as content; unless the next character is a quote or another backslash, it will have escaped nothing, and silently disappear.
if your json contained any single quotes, and you are lucky, you will get a syntax error, as the quote that was supposed to contain the value will be closed, and gibberish that SQL can't parse follows.
if your json contained any single quotes, and you're not lucky, you're now a victim of SQL injection attack, the most infamous example being XKCD's.
To avoid all that, make sure that your data is properly sanitised before it hits the database. This can be done in two ways:
The manual, and error-prone way includes always remembering to escape any characters that need it any time you insert a string into a query. This differs between databases. Some databases want a backslash before quotes, while some prefer doubling the quotes and doing nothing to backslashes. Some allow both. Many languages and/or database access libraries have functions that do this in a way appropriate for the database.
The automated, foolproof and very much preferred way is to use parametrised queries and prepared statements that do this for you in a transparent and easy-to-use way. You do not have a specific language tagged, so I can't give you the solution, but the Bobby Tables site has answers for many commonly used programming languages.
I'm have a SSIS connection string that includes an escape character which is preventing the connection string from working. Does anyone know how to prevent the escape character from being applied?
Here is an example of my database connection: DatabaseServer\DInstanceName
If you're building connection string dynamically from variables or even if you don't, you can use Properties-> Expressions-> Connection string expression where you can test the resulting output of the expression. And use \ to escape any character.
Better approach would be to use SSIS XML Configuration so you don't need to edit your package everytime you need to make some changes in connection string.
the escaping will be "\" it will give you \ but for your connection string I alredy give a solution on you other ques . here also I am pasting the same thing. plz check it :)
I have taken the first parameter for connction string like : "anystaring
and the second parameter for the db is : newdb"
so now check the screenshot I have given the URL(not able to upload the image sorry):
http://tinypic.com/view.php?pic=2v3oj6x&s=8#.VHQ8aSjrbcs
I am concerned about inserting text in a MySQl table w.
I have to insert/update text that contains characters such as / " and '
The escape character / could be inserted only if the NO_BACKSLASH_ESCAPES SQL mode is enabled. wich interfere with the characters " and ' see this link http://dev.mysql.com/doc/refman/5.1/en/string-literals.html#character-escape-sequences
If anyone can explain to is in earth the mysql_real_escape_string() I don't came to understated
I would like to find a pure mysql solution
I am not using php. What I am trying to do here is to "simulate " Content Management System: I am about to write a C# coded solution that manage the content in its different forms(article, category ,tag, etc..) and generate .html files, the MySQl database is local in my computer next i will upload the .html files to the server.
I did this to ensure that all my html pages are html valid and because I don't trust any existent solutions (not only when it concerns coding but in life in general)
Please help
each php db connection extension (mysql, mysqli, pdo) has a special way to safe query against sql injections, when you are using mysql extension, it's strongly recommended to use mysql_real_escape_string() function to make safe all variables used in query, it's most widely used function. i think there isn't any pure solution (when you are using mysql extension in php).
from php.net:
mysql_real_escape_string()-Escapes special characters in the
unescaped_string, taking into account the current character set of the
connection so that it is safe to place it in a mysql_query().
Whatever string data can be inserted into SQL query, if formatted according to 2 rules
it is enclosed in quotes (preferably single ones)
it is passed through mysql_real_escape_string()
if both rules followed, there would be not a single problem with whatever characters, either slashes, quotes or anything.
According to your question, / has no special meaning in MySQL. It's \ that is escape character. It can be escaped by another backslash as well.
$str = 'slashes \ quotes \' or whatever " else symbols';
var_dump($str);
$str = mysql_real_escape_string($str);
$sql = "INSERT INTO table SET str='$str'";