In answer to your direct question: Does this code prevent SQL injection: No Here’s the proof – push this string through the PrepareString method: Dim input = “‘” & Chr(8) & “; Drop Table TableName; – ” & Chr(8) & “-” Dim output = PrepareString(input) Console.WriteLine(input) Console.WriteLine(output) I modified the GetRecord method you posted to … Read more
Use PDO (PHP Data Objects) to connect to your MySQL database. This method will make sure that all database input will always be treated as text strings and you will never have to do any manual escaping. This combined with proper use of html_entities() to display data from your database is a solid and good … Read more
I’d say for your particular, and probably canonical, example for parametrized queries, yes it is sufficient. However, people sometimes write code like this cmd.CommandText = string.Format(“SELECT * FROM {0} WHERE col = @col;”, tableName); cmd.Parameters.Add(“@col”, …); because there is simply no way to pass the tablename itself as a parameter and the desire to do … Read more
Yes, but a qualified yes. You need to properly escape 100% of the input. And you need to properly set character sets (If you’re using the C API, you need to call the mysql_set_character_set() instead of SET NAMES). If you miss one tiny thing, you’re vulnerable. So it’s yes, as long as you do everything … Read more
The proper way to avoid SQL Injection attacks is NOT to simply disallow certain problematic characters, but rather to use parameterized SQL. In short, parameterized SQL prevents the database from executing raw user input as part of the SQL command this prevents user input like “drop table” from being executed. Just escaping characters does not … Read more
Using string concatenation for constructing your query from arbitrary input will not make PreparedStatement safe. Take a look at this example: preparedStatement = “SELECT * FROM users WHERE name=”” + userName + “”;”; If somebody puts ‘ or ‘1’=’1 as userName, your PreparedStatement will be vulnerable to SQL injection, since that query will be executed … Read more
We’ve done a lot of work similar to your example. We haven’t worried about SQL injenction, in part because we have complete and total control over the data being pivoted–there’s just no way malicious code could get through ETL into our data warehouse. Some thoughts and advice: Are you required to pivot with nvarcahr(500) columns? … Read more
Let’s say that you have your category ids in an integer array and Name is a string. The trick is to create the command text to allow you to enter all of your category ids as individual parameters and construct the fuzzy match for name. To do the former, we use a loop to construct … Read more
You need to use parameters. Well dont have to but would be preferable. SqlParameter[] myparm = new SqlParameter[2]; myparm[0] = new SqlParameter(“@User”,user); myparm[1] = new SqlParameter(“@Pass”,password); string comando = “SELECT * FROM ANAGRAFICA WHERE E_MAIL=@User AND PASSWORD_AZIENDA=@Pass”;
There are a few cases where this escape function will fail. The most obvious is when a single quote isn’t used: string table= “\”” + table.Replace(“‘”, “””) + “\”” string var= “`” + var.Replace(“‘”, “””) + “`” string index= ” ” + index.Replace(“‘”, “””) + ” ” string query = “select * from `”+table+”` where … Read more