i have an tiny editor web page where my users can use this editor and i am saving the html into my database.
i am having issues saving this html to my database. for example if there is a name with a "'" or if there are other html character "<,",">" etc, my code seems to blow up on the insert.
Is there any best practices about taking any arbitrary html and have it persist fully to a db field without worrying about any specific characters.
I'm wondering if you are building the full query. Instead use a parameterized query and that should eliminate your data problems.
string sqlIns = "INSERT INTO table (name, information, other) VALUES (#name, #information, #other)";
SqlCommand cmdIns = new SqlCommand(sqlIns, db.Connection);
cmdIns.Parameters.Add("#name", info);
cmdIns.Parameters.Add("#information", info1);
cmdIns.Parameters.Add("#other", info2);
cmdIns.ExecuteNonQuery();
do you insert using SqlParameter? If yes, you should not have problems, check that.
You could just HtmlEncode the data.
You'll have a HttpContext.Current.Server object, so in pseudo code you'd just do:
Database.Save(HttpContext.Current.Server.HtmlEncode(myHtml));
and to retrieve it:
myHtml = HttpContext.Current.Server.HtmlDecode(DataBase.Load());
Just reading through this - is your problem actually on the insert statement or do you get a problem from the web server before it ever hits your controller? Noticing that you tagged the question with asp.net-mvc, you may need to make sure that you have decorated your controller method with the [ValidateInput(false)] attribute.
Related
I looked through the docs and I didn't find anything on this subject, but I thought I'd ask, to be sure:
Is there a way for OrmLites INSERT and UPDATE APIs to make it possible in one query, to insert/update columns that are not present in the POCO?
DateTime myTimestamp = DateTime.Now;
db.Insert<MyPoco>(myPoco, new { MyNewColumn=myTimeStamp });
or something like it?
I know that I can make a custom SQL, so either make a second query, inserting the custom columns, or write the whole thing myself, but I'd like to avoid that and let OrmLite do what it's supposed to do.
OrmLite is a typed code-first ORM where each POCO is the authoritative source which maps 1:1 to their respective RDBMS tables.
You can’t use OrmLite’s typed APIs with an unknown or dynamic schema and would need to Execute Custom SQL INSERT, e:g:
db.ExecuteSql(
"INSERT INTO page_stats (ref_id, fav_count) VALUES (#refId, #favCount)",
new { refId, favCount });
I am creating a php page with a small and simple database.
when I visit it online and try to pass the parameter "length" in the url like: index.php/?length=1 it works fine and fetches the data.
If I add the single quote like index.php/?length=1' I have no SQL error on the page...
but if I use index.php/?length=-1 I see the SQL error in my page.
Does this mean that my page is vulnerable?
How can I further test it and fix the problem?
Edit: added the code
$length = $wpdb->get_results( $wpdb->prepare("SELECT `title`, `website`, `material`, `color`, `width`, `height`, `group`, `category`, `numbers_positive`, `numbers_negative`, `custom` FROM {$wpdb->shirts} WHERE `id` = '%d' ORDER BY `rank` ASC, `id` ASC", intval($shirt_id)) );
if (!isset($shirt[0])) return false;
$shirt= $shirt[0];
$shirt->title = htmlspecialchars(stripslashes($shirt->title), ENT_QUOTES);
$shirt->custom = maybe_unserialize($shirt->custom);
$shirt->color = maybe_unserialize($shirt->color);
if ( $this->hasBridge() ) {
global $lmBridge;
$shirt->shirtColor = $lmBridge->getShirtColor($shirt->color);
}
$shirt = (object)array_merge((array)$shirt,(array)$shirt->custom);
unset($shirt->custom);
return $shirt;
Yes, from the URL examples you have given, it seems like you take user input and directly insert it into your MySQL statement. That is the absolute worst. You should always parse user input because direct input from a user can result in the string being escaped and them deleting every table in your DB. This is a great example: Bobby Tables
Also, this is been a topic of great discussion. There is a great answer here
Edit* Using the WordPress framework and looking at your code, its not as bad as it seemed.
accepting, but generating an error on -1 does not nessicarily mean you are suseptable to an injection attack. As long as you are varifying that the input is an integer and only using the integer compontent, you're fairly safe.
Prepared statements make it even more secure, by seperating the data from the query. Doing that means someone can never 'break out' of what you are supposed to be working on. It's absolutely the right way to use SQL.
We can even take it another step farther, by limiting the abilty of the account to do anything other that run stored queries, and storing your queries on the SQL server side, rather then in your PHP. At that point, even IF they broke out (which they can't), they would only be able to access those defined queries.
Currently, I've been assisting someone to convert a site using classic ASP, from using MS Access to MySQL(mainly as a bridge until we get time to do a complete rebuild). The current table uses various protected keywords as column names(Datetime, Date, Order, etc). I'm trying to figure out the proper ways to do a few inserts on these columns. The current code is below:
Set oRSess = Server.CreateObject("ADODB.Recordset")
oRSess.AddNew
oRSess.Fields("Order") = CInt(xyz)
oRSess.Fields("SessionID")
oRSess.Update
Now normally, I'd try to just replace this with a standard SQL insert, but there's lots of code around, that breaks easily. Is there away to add a proper escape character for MySQL to recognize it properly?
I am using kohana 2.3.4, I have a text area for "Embed Google Map Code", the system automatically strips the Iframe tag and not inserted on the database. here's my code snippet for inserting/updating:
$this->db->query("UPDATE tbl_sites SET map_code='$_POST[map_code]' WHERE id=$id");
My guess is that you are forgetting the quotes when indexing into the $_POST array. Try this:
$this->db->query("UPDATE tbl_sites SET map_code='{$_POST["map_code"]}' WHERE id={$id}");
You should also make sure to sanitize the values coming from the $_POST array before using it in a query.
That query looks dodgy, but if you're certain it's updating the record correctly, and Kohana is only stripping the iframe, then perhaps this is an issue with XSS filtering.. have you tried to turn off global XSS filtering? http://docs.kohanaphp.com/general/security#cross_site_scripting_xss
I am using prepared statements with mysqli(); to insert and retrieve data on my website also i used bind_param so i don't add variables directly into the query.I used strip_tags to clean any inputs what else should i look out for ?
Don't use strip_tags() on database input: use htmlentites() (or urlencode() where appropriate) on browser output.