I'm using this code (python using sqlite3) to add data to the table:
''' INSERT INTO TABLE (USERNAME) VALUES ("''' + data + '''")'''
If I block ", then (to the best of my knowledge) it should be impossible to exit the string, subsequently making it impossible to SQL inject.
My questions are these:
Does this stop users from being able to inject SQL?
If no, should I add more to the blacklist or create a whitelist?
All help is greatly appreciated.
If you sterilize data before letting it hit the insert statement, making sure that single quotes do not appear anywhere, then in theory SQL injection is not possible. Whatever data gets injected should just be treated a string literal, rendering any injected SQL commands ineffective. However, there may still be ways for an attacker to work around this.
Your best best here would be to just rely on using prepared statements to avoid SQL injection. Attackers keep getting smarter, and there might still be a way to inject your current insert statement from some other means.
Related
I have a web-form with a Name field which I want to be able to accept single apostrophes, such as in the name O'Leary, but when trying to push this record to the SQL 2005 server, I get an error. My question is not this. It's that when I attempt to insert the record into the db using this statement...
Dim acctName As String = Replace(txtName.Text, "'", "''")
I get O''Leary in the database instead of O'Leary. Thought SQL was supposed to treat these double single apostrophes as one apostrophe???
You'd be better off using parameterized queries. These will automatically handle the single quotes, and protect you better from SQL Injection.
Inserting the double single quotes (did I say that right?) is a way of escaping the data. It should work, but it's not a best practice.
See this article for a much fuller answer:
http://msdn.microsoft.com/en-us/library/ff648339.aspx
What I'm proposing is step 3.
Edit - I should read the question better
If you're already using parameterized queries, or a stored procedure, and you're setting the value of acctName to the value of a parameter, then you do not need to escape the quotes yourself. That's handled automatically.
It's also handled by several tools, including the Mirosoft Patterns and Practices Database library. That has several commands where you can pass in a statement and array of objects that are used as parameter values -that handles the escaping as well.
If either of those are the case, you can completely eliminate the line of code where you're replacing the values.
Depends how you're INSERTing the data into the database.
If you're using dynamic SQL and building the SQL string yourself, you are responsible for doubling the quotes yourself. But if you're using a parameterized query (as you should be, and probably are) then the engine will take care of that for you and, if you double the quotes yourself, you'll get doubled quotes in the database.
Note, if you started with dynamic SQL and switched to paramterized queries, this issue would suddenly appear at the time you made the change.
Off-the-cuff, without knowing too much detail I'd recommend checking the SET QUOTED_IDENTIFIER setting on the SQL Server. More information can be found here. Let me know if this helps.
It highly depends what query you actually submit. If you submit '' then this is what will be saved. You do need to double the ' but for other reasons (mainly security, but of course also syntax validity).
Please submit the code that you use to submit the query.
I have used parameterized query number of times I know it helps in preventing SQL injection.
But, I was wondering if I can know what is basic logic working inside a parameterized query
to prevent SQL injection may be it is very simple but I don't know about it. I tried to search google what are the basic of it but every time I found an example that how to use parameterized query in Asp.net.
I know about making a special class which stops those special characters like (',-- etc) which are used in SQL injection, but does stopping only special characters totally prevent SQL injection?
And one last thing does .net parameterized query can fully stop SQL injection?
I think parametrized queries are not dependent on prepared queries database support. Database driver itself passing values the safe way, and how is it done depends on driver itself.
The PostgreSQL manual explains basics about parametrized queries on database level.
On the other hand, parametrized queries simplifies you passing locale sensitive data.
For example, user enters 100,00 decimal, but your server expects 100.00 value.
In every database engine I know, using "prepared" (aka "parametrized", or "static") queries prevents SQL injection. You don't need to filter any characters if they're being passed to parameters. If you ever write SQL that is concatenated together in code rather than prepared with parameters, you are probably at risk for SQL injection. You should the security manual for the database you're using, it will very likely have a section on SQL injection, but just read all of it. I bet it will take under an hour and will give you solid instruction and confidence that you're following best the practices that apply to your database.
I would like to know whether anyone knows about a library or code that will accept a PL/SQL string and thow error if there is any PL/SQL injection. Most of the open source projects in the internet are created in PHP.
You need to use parameters, for example
UPDATE mytable SET field=:param WHERE id=:id
And then assign :param and :id to be the value that you get from the untrusted source (form value, url params, cookie, ...)
This also improves performance, and you don't need to parse anything to determine if it's injection or not. (Such approaches might have subtle bugs that you don't see, but the attaker will use. I mean you cannot verify that every possible attack, including those you haven't thought of yet, will be stopped by an injection-detection logic.)
Assuming you have a very good reason to use both dynamic SQL and to embed strings in your statements rather than use bind variables, Oracle has a built-in library for this purpose. It's called dbms_assert.
See http://docs.oracle.com/cd/E11882_01/appdev.112/e40758/d_assert.htm for full details on this package.
I'm build a web page in ASP.net is supposed to work just like Query Analyzer. It has basically a textarea to input the sql command, and an Execute button.
I'm using SMO to execute the command in the database, as follows:
//Create object SMO
Microsoft.SqlServer.Management.Smo.Server server = new Microsoft.SqlServer.Management.Smo.Server(new Microsoft.SqlServer.Management.Common.ServerConnection(oConn));
//To execute the command
server.ConnectionContext.ExecuteNonQuery(tbx_cmd.Text);
//OR
myDataset = server.ConnectionContext.ExecuteWithResults(tbx_cmd.Text);
The problem is that the textarea command can contain anything, from a stored procedure (with GO's statements) and any select command that return resultsets, just like Query Analyzer.
But, if I have GO statements, I only can perform the query using ExecuteNonQuery method. If I use the ExecuteWithResults method, it raises errors because of the GO statements.
And if I want the resultsets to be available, of course I can only use the ExecuteWithResults method.
Does anybody knows how can I do to execute the same command texts at the same time?
Thank you!
You would have to write your code to split out the commands and be able to recognize where one command ends and another begins. Either way it's not a simple task.
You COULD just make a rule that in your app, all SQL commands end with a semicolon, and then use a string.split() to split it up into multiple strings, and treat each one as a command. That would be dependent on users using this properly, of course.
Speaking of depending on users, I just have to ask, is this something where only you or another trusted person will use it? And something that is not pointing at valuable data? I ask only because when I was a young programmer and didn't know any better, I built such a tool, for a mission-critical database, and now I live in fear that someone is going to do something dumb like
Delete From MyMissionCriticalTable
and then I'll spend who knows how long fixing it...
I have no idea of your experience level, so I don't mean to be insulting when I urge you to consider SHOULD you do it before you worry too much about CAN you do it.
Is there any pl/sql package which is already written to handle all the scenearios which prevents SQL Injection.Please let me know if any one aware such package.
Thanks for your help
Prepared Statements
just use prepared statements in PL/SQL. That will protect against sql injections
Thanks for reply , I am looking for a package that validates user inputs. Like checks for only alpha numeric and special symbols etc etc It would be great helpful if package exits to check all scenarios –
It sounds more like you want an ORM for applications that use the database more than a PostgreSQL package. Or at least encapsulate your code in a function to provide parameterization.
Think about it this way. SQL injection works by turning invalid input into malicious (but valid) SQL. How would the database be able to determine anything else as far as whether or not it's valid SQL? And if it could tell otherwise in all cases, why wouldn't it just do that by default instead of requiring you to use a certain package?