If data returned by CreateODBCDate is being used in SQL queries, should I sanitize the returned value or is that not necessary? Here's the official documentation.
No sanitation needed for CreateODBCDate, but make use of <cfqueryparam> and take advantage of both security (built-in validation) and performance (prepared statement) for free would be a smart thing to do.
Related
I am trying to add basic read/write authorization in gremlin-server, I want to know if there is a way by which I can identify if this query is read-only query or write query.
There is no API call you can make to determine that, but you can get inspiration for how to detect it from ReadOnlyStrategy here. The key is to cycle the Traversal object and look for a Step that implements the Mutating interface. If you find one of those in there, you could classify the traversal as a write query.
Of course, for Gremlin, classifying a query and read or write isn't so binary as it could easily be a mix of read and write. It's also possible that at runtime the write might never execute depending on the flow of the traversal, so it could be "runtime readonly". Hopefully, detecting the Mutating interface is a good-enough solution for you.
I'm not sure where you intend to implement this authorization function but I sense it would be best done as a TraversalStrategy that would then fire on traversal execution. I don't know if that's too late for your authorization process, but it would be the easiest way I can envision. The problem is that if you are accepting scripts then with that approach you could get a partial execution of that script up to the point where authorization was not allowed. If you needed to disallow an entire script based on one write traversal then you might need to look at a custom sandbox. Of course, it is better to avoid scripts altogether and simply use bytecode based requests only. If you are only concerned with bytecode then TraversalStrategy should work pretty well for the authorization use case.
I'm writing an API that converts actions performed by a non-technical user into Salesforce.com SOQL 'SELECT', 'UPSERT', and 'DELETE' statements. Is there any resource, library, etc. out there that could validate the syntax of the generated SOQL? I'm the only one at my company with any experience with SOQL, so I'd love to place it into a set of automated tests so that other developers enhancing (or fixing) the SOQL generation algorithm know if it's still functioning properly.
I know one solution here is to just make these integration tests. However, I'd rather avoid that for three reasons:
I'd need to maintain another Salesforce.com account just for tests so we don't go over our API request cap.
We'll end up chasing false positives whenever there are connectivity issues with Salesforce.com.
Those other developers without experience will potentially need to figure out how to clean up the test Salesforce.com instance after DML operation test failures (which really means I'll need to clean up the instance whenever this occurs).
You might solve your problem by using the SoqlBuilder library. It generates SOQL for you and is capable of producing SOQL statements that would be quite error prone to create manually. The syntax is straight forward and I've used it extensively with very few issues.
I found another way to do this.
Salesforce.com posted their SOQL notation in Backus-Noir Form (BNF) here:
http://www.salesforce.com/us/developer/docs/api90/Content/sforce_api_calls_soql_bnf_notation.htm
This means you can use a BNF-aware language recognition tool to parse the SOQL. One of the most common tools, ANTLR, does this and is free. Following the ANTLR example, pass the SOQL grammar into its grammar compiler to get a Lexer and a Parser in your desired language (C#, Java, Python, etc.). Then you can pass the actual SOQL statements you want to validate into the Lexer, and then your Lexer tokens into your Parser, to break apart the SOQL statements. If your Lexer or Parser fails, you have invalid SOQL.
I can't think of a way to do this from outside of Salesforce (and even in Apex I've only got one idea right now that may not work), but I can think of two suggestions that may be of help:
Validate queries by running them, but do them in batches using a custom web service. i.e. write a web service in Apex that can accept up to 100 query strings at once, have it run them and return the results. This would drastically reduce the number of API calls but of course it won't work if you're expecting a trial-and-error type setup in the UI.
Use the metadata API to pull down information on all objects and their fields, and use those to validate that at least the fields in the query are correct. Validating other query syntax should be relatively straight forward, though conditionals may get a little tricky.
You can make use of the salesforce develop nuget packages that leverages SOAP API
I have used parameterized query number of times I know it helps in preventing SQL injection.
But, I was wondering if I can know what is basic logic working inside a parameterized query
to prevent SQL injection may be it is very simple but I don't know about it. I tried to search google what are the basic of it but every time I found an example that how to use parameterized query in Asp.net.
I know about making a special class which stops those special characters like (',-- etc) which are used in SQL injection, but does stopping only special characters totally prevent SQL injection?
And one last thing does .net parameterized query can fully stop SQL injection?
I think parametrized queries are not dependent on prepared queries database support. Database driver itself passing values the safe way, and how is it done depends on driver itself.
The PostgreSQL manual explains basics about parametrized queries on database level.
On the other hand, parametrized queries simplifies you passing locale sensitive data.
For example, user enters 100,00 decimal, but your server expects 100.00 value.
In every database engine I know, using "prepared" (aka "parametrized", or "static") queries prevents SQL injection. You don't need to filter any characters if they're being passed to parameters. If you ever write SQL that is concatenated together in code rather than prepared with parameters, you are probably at risk for SQL injection. You should the security manual for the database you're using, it will very likely have a section on SQL injection, but just read all of it. I bet it will take under an hour and will give you solid instruction and confidence that you're following best the practices that apply to your database.
I would like to know whether anyone knows about a library or code that will accept a PL/SQL string and thow error if there is any PL/SQL injection. Most of the open source projects in the internet are created in PHP.
You need to use parameters, for example
UPDATE mytable SET field=:param WHERE id=:id
And then assign :param and :id to be the value that you get from the untrusted source (form value, url params, cookie, ...)
This also improves performance, and you don't need to parse anything to determine if it's injection or not. (Such approaches might have subtle bugs that you don't see, but the attaker will use. I mean you cannot verify that every possible attack, including those you haven't thought of yet, will be stopped by an injection-detection logic.)
Assuming you have a very good reason to use both dynamic SQL and to embed strings in your statements rather than use bind variables, Oracle has a built-in library for this purpose. It's called dbms_assert.
See http://docs.oracle.com/cd/E11882_01/appdev.112/e40758/d_assert.htm for full details on this package.
Is there any pl/sql package which is already written to handle all the scenearios which prevents SQL Injection.Please let me know if any one aware such package.
Thanks for your help
Prepared Statements
just use prepared statements in PL/SQL. That will protect against sql injections
Thanks for reply , I am looking for a package that validates user inputs. Like checks for only alpha numeric and special symbols etc etc It would be great helpful if package exits to check all scenarios –
It sounds more like you want an ORM for applications that use the database more than a PostgreSQL package. Or at least encapsulate your code in a function to provide parameterization.
Think about it this way. SQL injection works by turning invalid input into malicious (but valid) SQL. How would the database be able to determine anything else as far as whether or not it's valid SQL? And if it could tell otherwise in all cases, why wouldn't it just do that by default instead of requiring you to use a certain package?