Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 2 years ago.
Improve this question
I created an AWS Lambda function that fetches data from an RDS (Postgres) and returns it as json via an API Gateway (url). The url accepts 3 GET parameters which are used to filter the data based on the user needs.
My question is, how safe is (in terms of attacks like SQL Injection etc.) to share the URL to developers who want to see my data? The idea is to use this infrastructure as a temporary API alternative, to gather up usage feedback.
My question is, how safe is (in terms of attacks like SQL Injection etc.) to share the URL to developers who want to see my data? The idea is to use this infrastructure as a temporary API alternative, to gather up usage feedback.
If you're trying to mitigate SQL injection specifically, you just need to ensure that your code makes use of parameterized queries. If you're concatenating strings to build a SQL query, you're likely vulnerable to SQL injection. Even with character filtering and escaping you can often still wind up vulnerable to SQL injection, so you should make sure to use a library that supports parameterized queries out of the box.
Based off your history, it seems you use PHP. For Postgres PHP has pg_prepare which is safe from SQL injection: https://www.php.net/manual/en/function.pg-prepare.php
Related
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 6 years ago.
Improve this question
I want to create multiple services, which support an SSO (Single Sign-On) service.
To simplify, a google like services. With a single account you can use all services (and you log in once).
I found many ideas, but I want to have some opinions on how to design these services, and which technologies are the most adequate:
many or one database ??
creating an auth api ??
sharing session ?
using nosql databse or not ?
duplicate user information foreach database ?
separate users tables on a single database ?
node js vs php !!
...
Update
I know this is opinion based (I ask for your opinions), I wish to have different proposition of design patterns.
It's purely theorique, so I can understand how it can be done.
This is totally opinion based, and will likely be closed. But...
Don't write your own auth service. There are many good packages out there, and very few people are really qualified to write authentication and authorization platforms. If you really don't want to use a pre-packaged solution, at least use one of them as a template.
Here is a good list of SSO solutions, pick one or two and give them a try. Many are free and open-source. I have had luck with OpenAM, but many others are also very good.
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 7 years ago.
Improve this question
When I filled my database with about 25K records, I noticed that my application started working slowly. I've checked out the logs and realize that instead of one SQL request ActiveRecord is performing more that eight. I have rewritten the code to use one SQL request, and it has speeded my application up minimum in two times.
So, is it correct to write raw SQL requests in parts of application that is heavily loaded?
Some times you need to eager load your data. Other times you really need to write raw SQL queries
It is sometimes correct to use raw SQL, as ActiveRecord and Arel do not easily allow the full SQL syntax to be used, and sometimes it is helpful to just express a scope as a raw SQL fragment, but it is not correct for the first response to a performance problem to be the use of raw SQL.
It would be better to explore eager loading and joining methods, and other options, before using raw SQL, as you may be making your application less flexible to changes in future.
If you post the code that is causing the problem and the SQL being generated by it, then you may get useful advice on how to avoid raw SQL.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 8 years ago.
Improve this question
I have read the posts about sql injection and there I saw that they use the query strings of sites to hack them. I want to know is it safe to use query strings or not and how to make my site stable against sql injection?
A sql injection usually comes from bugs in code that runs server side and submit sql queries to a database. Many bugs in the way you implement this can result to a sql injection. You can read values from a url, but before you plug these values to a sql query you should make some checking.
In order to answer to your question, query strings are safe the way you use the variables that are in them may be not.
As for making your site not vulnerable to them you should implement all your data access layer code (calling of stored procedures, of CRUD operations, of functions etc.) not vulnerable to them. For instance if you use queries, in which you pass parameterized variables then you can avoid a great deal of sql injections. Please take a look here
https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet
If you build your SQL statements from untrusted data, such as query strings, then you are vulnerable to SQL injection.
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 9 years ago.
Improve this question
SQL is one of the most powerful and most currently used languages​​, but for purposes of curiosity and learning would test new technologies and want to know what are the fastest.
I text talking about NoSQL (json) and also about "plain text" file (. Txt or. Dat or. INI) with information from publications, settings, and the like.
What is the fastest processing, taking for example the Wordpress CMS is a very famous and one of the largest in the world, it uses SQL, say we make a request of 50 posts from the database, using the default template, all standardized compared with a requisition 50 posts from the same hierarchy but in file. txt or json file, which technology and fashion that renders faster?
If you will work with storage only in read or write, json or text file will be more faster than mysql, otherwise if you want to process complex data, mysql is faster.
If you want to work with less overhead, try to use SQLite database or similar
NoSQL databases like Redis, MongoDB is faster than MySql, but for using it, you must have personal hosting with root access
Although I don't have numbers to prove my guess, I think that any database will always be faster than a text file, just consider its indexing capabilities.
If instead you want to compare different databases, then, as others already said, it's a matter of the specific domain / problem you're working on and the structure you gave to the specific database schema.
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 11 years ago.
Improve this question
I am always interested in hacking, I understand the concept of SQL injection and cross site scripting. However, the thing I don't know is how to detecting a possible SQL injection. I have checked some books, but I didn't get too much information. Do hackers do the detection work by hand or they have smarter automatic tools?
So, I'm thinking of writing a simple tool to do automatic injection check (using qwebkit). I want to capture the http requests before sending them and replace some form data of the http header with SQL injection commands. The program checks the http response and compare it with a normal response and reports any difference.
The thing is that I have never found a SQL injection myself, so is this idea valid?
Say, if I successfully upgrade myself to administrator of certain website, the returned http response should look normal. So I shouldn't be able to automatically report that with my program?
You probably want to take a look at the SQL Injection Cheatsheet. It lists the tricks hackers will usually try to determine whether a particular input field is exploitable and then to extract data from the database.