Highest Voted 'sql-injection' Questions - Software Engineering Stack Exchange

109

votes

7 answers

You're hired to fix a small bug for a security-intensive site. Looking at the code, it's filled with security holes. What do you do?

I've been hired by someone to do some small work on a site. It's a site for a large company. It contains very sensitive data, so security is very important. Upon analyzing the code, I've noticed it's filled with security holes - read, lots of PHP…

php security sql-injection

asked Mar 04 '13 at 19:26

MaiaVictor

5,820
7
27
45

60

votes

16 answers

Why did SQL injection prevention mechanism evolve into the direction of using parameterized queries?

The way I see it, SQL injection attacks can be prevented by: Carefully screening, filtering, encoding input (before insertion into SQL) Using prepared statements / parameterized queries I suppose that there are pros and cons for each, but why did…

security sql history hacking sql-injection

asked Sep 12 '16 at 14:04

Dennis

8,157
5
36
68

15

votes

6 answers

Discovered large security hole in someone elses website... What to do?

A chap I'm bidding to do some development for has a social network he wrote himself. Not the next facebook by any stretch. But a few thousand local users. I went to have a look at it to see what level of knowledge he had so I knew how to position…

security ethics sql-injection

asked May 27 '11 at 18:00

bencoder

329
2
5

13

votes

3 answers

Is reliance on parametrized queries the only way to protect against SQL injection?

All I have seen on SQL injection attacks seems to suggest that parametrized queries, particularly ones in stored procedures, are the only way to protect against such attacks. While I was working (back in the Dark Ages) stored procedures were viewed…

design security sql sql-injection

asked Jul 21 '11 at 10:21

Chris Walton

424
3
9

7

votes

5 answers

Are SQL Injection vulnerabilities in a PHP application acceptable if mod_security is enabled?

I've been asked to audit a PHP application. No framework, no router, no model. Pure PHP. Few shared functions. HTML, CSS, and JS all mixed together. I've discovered numerous places where SQL injection would be easily possible. There are other…

php coding-style sql-injection

asked Apr 13 '12 at 22:26

Austin Smith

73
3

5

votes

1 answer

Is there a database programming language with encapsulation to prevent the injections?

One of things that annoys me about SQL is that it can't think in terms of objects and it's lack of encapsulation makes me constantly have to escape commands to prevent injections. I want a database language that can be polymorphic and secure. I have…

database encapsulation sql-injection

asked Dec 27 '12 at 17:59

DrinkJavaCodeJava

215
1
1

2

votes

1 answer

How to check for vulnerabilities in web application

I have developed a web application using zend framework, mysql, and other client side technologies like javascript, jquery ajax, kendo grid, and so on. I have completed development and have done several rounds of testing to make sure the functional…

web-applications security ajax vulnerabilities sql-injection

asked Oct 04 '13 at 12:46

웃웃웃웃웃

131
7

1

vote

2 answers

SQL injection attacks, how do I test and secure coldfusion queries?

I'm running Coldfusion 8 and SQL server 2008. I've been building serveral forms that insert data into the database from external users, we have a custom built security module built by the guy who I've taken his job. 1) How can we test our HTML…

security sql sql-injection coldfusion

asked Jul 20 '11 at 15:50

Snow_Mac

349
1
3
9

1

vote

1 answer

Converting a large PHP codebase from mysql_ to PDO

At my workplace we're soon going to be tasked with removing SQL injection vulnerabilities from a large code base. The application was originally written around 8 years ago and after years of bolt-ons and additional features, security is finally…

php mysql sql-injection

asked Nov 04 '16 at 15:40

Adam Copley

472
3
11

1

vote

1 answer

Is this type of data insertion safe and can stop sql injection in Python?

I am learning Database connection from MySQL Connector/Python Developer Guide. This is the code I am using to insert data: conn = mysql.connector.connect(user="user", password="password", host="127.0.0.1", database="db") cursor = conn.cursor() query…

python security python-3.x sql-injection

asked Nov 14 '14 at 17:03

CS GO

111
3

1

vote

4 answers

Database Handler and SQL injection prevention

I've written a database model class in PHP and have written a controller class that specifically validates the data before sending it to db. I'm getting criticism that I should handle the data in database model class rather than controller class. I…

php database security sql-injection

asked Aug 29 '14 at 09:39

Syntax Error

155
6

0

votes

1 answer

Variable WHERE clause while avoiding sql injection

I want the user to be able to provide a custom WHERE statement against a mysql-backed platform... do I need to worry about any possible SQL injection attacks notwithstanding invalid sql? See the pseudo code below. return sqlExec("select a,b,c from…

sql mysql backend sql-injection

asked Feb 25 '21 at 02:21

Sanchke Dellowar

1

0

votes

2 answers

Is my application vulnerable to SQL injection if I don't specify each type in Doctrine2?

I thought Doctrine 2 DBAL prepared statements were safe from SQLi. But I found this confusing bit in the docs: By default the Doctrine DBAL does no escaping. Escaping is a very tricky business to do automatically, therefore there is none by …

php database sql-injection doctrine

asked Aug 09 '13 at 16:23

ChocoDeveloper

393
1
4
14

-1

votes

3 answers

General SQL Question

Let's say a user goes to the log in page of my website and creates an account. Instead of entering their real name, they decide to write some sql code and try to gain access to my database. I have prepared statements to prevent any harmful code…

sql sql-injection

asked Jul 05 '19 at 00:50

Cole

1
1

Questions tagged [sql-injection]