Is htmlspecialchars enough to prevent an SQL injection on a variable enclosed in single quotes?

The character that htmlspecialchars fails to encode the critical character \0 (NUL byte), \b (backspace), as well as the \ character. In order to exploit this, you need a statement with multiple injection points. With this you can escape the closing delimiter of one string literal and thus expand it up to the next starting … Read more

How to cleanse (prevent SQL injection) dynamic SQL in SQL Server?

I believe there are three different cases that you have to worry about: strings (anything that requires quotes): ”” + replace(@string, ””, ”””) + ”” names (anything where quotes aren’t allowed): quotename(@string) things that cannot be quoted: this requires whitelisting Note: Everything in a string variable (char, varchar, nchar, nvarchar, etc.) that comes from user-controlled … Read more

How to avoid SQL injection in CodeIgniter?

CodeIgniter’s Active Record methods automatically escape queries for you, to prevent sql injection. $this->db->select(‘*’)->from(‘tablename’)->where(‘var’, $val1); $this->db->get(); or $this->db->insert(‘tablename’, array(‘var1’=>$val1, ‘var2’=>$val2)); If you don’t want to use Active Records, you can use query bindings to prevent against injection. $sql=”SELECT * FROM tablename WHERE var = ?”; $this->db->query($sql, array($val1)); Or for inserting you can use the insert_string() … Read more

When is it best to sanitize user input?

Unfortunately, almost no one of the participants ever clearly understands what are they talking about. Literally. Only Kibbee managed to make it straight. This topic is all about sanitization. But the truth is, such a thing like wide-termed “general purpose sanitization” everyone is so eager to talk about is just doesn’t exist. There are a … Read more

Can parameterized statement stop all SQL injection?

When articles talk about parameterized queries stopping SQL attacks they don’t really explain why, it’s often a case of “It does, so don’t ask why” — possibly because they don’t know themselves. A sure sign of a bad educator is one that can’t admit they don’t know something. But I digress. When I say I … Read more

Preventing SQL Injection in ASP.Net

Try using a parameterized query here is a link http://www.aspnet101.com/2007/03/parameterized-queries-in-asp-net/ Also, do not use OpenQuery… use the this to run the select SELECT * FROM db…table WHERE ref = @ref AND bookno = @bookno More articles describing some of your options: http://support.microsoft.com/kb/314520 What is the T-SQL syntax to connect to another SQL Server? Edited Note: … Read more

SQL Server – Dynamic PIVOT Table – SQL Injection

We’ve done a lot of work similar to your example. We haven’t worried about SQL injenction, in part because we have complete and total control over the data being pivoted–there’s just no way malicious code could get through ETL into our data warehouse. Some thoughts and advice: Are you required to pivot with nvarcahr(500) columns? … Read more

How do I re-write a SQL query as a parameterized query?

You need to use parameters instead of just concatenating together your SQL: using (SqlConnection con = new SqlConnection(–your-connection-string–)) using (SqlCommand cmd = new SqlCommand(con)) { string query = “SELECT distinct ha FROM app WHERE 1+1=2”; if (comboBox1.Text != “”) { // add an expression with a parameter query += ” AND firma = @value1 “; … Read more