For questions about SQL injection vulnerabilities.
Questions tagged [sql-injection]
74 questions
89
votes
6 answers
Do stored procedures prevent SQL injection?
Is it true that stored procedures prevent SQL injection attacks against PostgreSQL databases? I did a little research and found out that SQL Server, Oracle and MySQL are not safe against SQL injection even if we only use stored procedures. However,…
Am1rr3zA
- 1,523
- 1
- 14
- 10
50
votes
1 answer
SQL injection in Postgres functions vs prepared queries
In Postgres, are prepared queries and user defined functions equivalent as a mechanism for guarding against SQL injection?
Are there particular advantages in one approach over the other?
user4930
21
votes
3 answers
How can I insert smiley faces into MySQL ( )
I'm on MySQL 5.5.21, and trying to insert the '\xF0\x9F\x98\x8A' smiley face character. But for the life of me, I can't figure out how to do it.
According to various forums which I've been reading, it is possible. But whenever I try it, the data…
Bryan Hunt
- 313
- 1
- 2
- 7
20
votes
2 answers
Why does SQL Injection not happen on this query inside a stored procedure?
I made the following stored procedure:
ALTER PROCEDURE usp_actorBirthdays (@nameString nvarchar(100), @actorgender nvarchar(100))
AS
SELECT ActorDOB, ActorName FROM tblActor
WHERE ActorName LIKE '%' + @nameString + '%'
AND ActorGender =…
Ravi
- 677
- 3
- 10
- 19
12
votes
3 answers
Is there any way to break out of the string and inject SQL without using a single quote in oracle?
I'm testing an oracle based application and I've found the following code:
Query = "SELECT name FROM employees WHERE id='"+PKID+"';"
i.e. the query string contains quotes around the PKID value which is obtained straight from the URL.
Obviously, this…
jdsnape
- 121
- 1
- 5
11
votes
1 answer
What function quotes an identifier in dynamic-sql with SQL Server?
What is the SQL Server method of safe-quoting identifiers for dynamic sql generation.
MySQL has quote_identifier
PostgreSQL has quote_ident
How do I ensure given a dynamically generated column name for a dynamically generated statement that the…
Evan Carroll
- 65,432
- 50
- 254
- 507
10
votes
6 answers
Is this SQL Procedure "injection proof"?
Most all answers and examples of SQL injection are showing some form of dynamic SQL or interpreting parameters as SQL.
I haven't been able to find an example of the "correct" way. Microsoft and Oracle's documentation just shows examples of what not…
UpTide
- 271
- 3
- 8
9
votes
1 answer
Should we still be using QUOTENAME to protect from injection attacks?
I was looking at an old stored procedure today and noticed it was using quotename on the input parameters. After doing some digging to figure out what that does exactly I came across this site. I now understand what it does and how to use it but the…
Matthew Verstraete
- 925
- 4
- 12
- 28
8
votes
3 answers
How does use of sp_executesql with parameters protect against SQL injection?
The following is a dynamic filtering solution that uses sp_executesql
IF OBJECT_ID(N'dbo.GetOrders', N'P') IS NOT NULL DROP PROC dbo.GetOrders;
GO
CREATE PROC dbo.GetOrders
@orderid AS INT = NULL,
@custid AS INT = NULL,
@empid AS INT = NULL,
…
T. Webster
- 319
- 1
- 3
- 8
8
votes
2 answers
Should date formats be specified in SQL statements?
I see code from developers using implicit date conversion. I would like a definitive answer to why they should not do this.
SELECT * from dba_objects WHERE Created >= '06-MAR-2012';
Leigh Riffel
- 23,884
- 17
- 80
- 155
8
votes
3 answers
Find the source of a recurrent mass SQL edit on a server
I'll try to explain my problem as clear as possible.
The server of a company I support runs many websites. This server runs Windows Server 2012 with Microsoft SQL Server 2014.
Almost all of the websites are running a proprietary web application,…
RandomITGuy
- 83
- 4
7
votes
4 answers
Does putting single quotation marks around numeric constants really protect from SQL injection in MySQL?
The manual seems to suggest that using quotes around numbers is sufficient to protect from SQL injection.
According to section 5.3.1. General Security Guidelines of the MySQL 5.1 Reference Manual:
If an application generates a query such as SELECT…
jason_ruz
- 173
- 1
- 6
6
votes
3 answers
Building Dynamic SQL-Server Where Clause
Let us review this dba.exchange Oracle question for SQL-Server.
This is SaUce's code, after a little formatting:
CREATE PROCEDURE GetCustomer
@FirstN nvarchar(20) = NULL,
@LastN nvarchar(20) = NULL,
@CUserName nvarchar(10) = NULL,
…
bernd_k
- 12,369
- 24
- 79
- 111
6
votes
1 answer
Wildcard search using parameters in function with dynamic SQL
What is the proper way to implement a wildcard search in PostgreSQL when using a parameter in a function that uses dynamic SQL?
As a starting point, here is an example from Erwin Brandstetter answering a different question on…
mg1075
- 755
- 3
- 12
- 22
5
votes
1 answer
Microsoft SQL Server SQL Injection Through .NET Even With Quote Escaping
I've been reading up on SQL Injection as part of a security audit for a fairly large web service. I've been googling and read all the posts I could find here and on SO and have a fairly solid understanding of how dynamic queries really should be…
James
- 469
- 1
- 6
- 16