When using the Zend_Db_Table_Abstract Save function, to update a database, do I need to worry about SQL injection (quote my parameters) or is it done automatically?
How can I see how the query looks?
No, you don't have to worry about SQL injection when using save().
Behind the scenes, Zend Framework uses Zend_Db_Adapter_Abstract::insert() and Zend_Db_Adapter_Abstract::update(), which use bind parameters. All values will be escaped by the framework to prevent SQL injection.
The only risk of SQL injection is when using Zend_Db_Expr to create custom / advanced queries, but this cannot happen when using save().
You may want to have a look on Zend_Db_Profiler to list all queries generated by the framework.
Alternatively, you can also enable your database query logs. See How to enable MySQL Query Log? for MySQL, or How to log PostgreSQL queries? for Postgres.
Related
I am developing a secure Rails app on a secure internal server, though I still want to protect it from any kind of SQL injections or XSS attacks. I know that if I have a search box I can use something like this in my MODEL to protect the app from SQL injections:
def self.search(search)
Project.where("project_title LIKE ?"
"%#{search.strip}%"
end
What about having a submit form with direct actions to a database, say a form on projects/new do I need to protect that input from SQL injections as well, and if so, how can I achieve this?
You have to care about SQL injection whenever you use string concatenation with any kind of user input to construct SQL fragments. If you use parameters, you're fine.
For example this is not vulnerable to SQL injection:
Project.where("project_title LIKE ?", "%#{search.strip}%")
But this is vulnerable, because a request parameter is written directly into the SQL query and the database has no way to know where the intended query ends, so a user could inject additional parts to this query through the search parameter:
Project.where("project_title LIKE %#{search.strip}%")
Similarly, if you post a form, the question is how you use values from the request in resulting queries. If you always use parameters like in the first example above (with ? or named ones with symbols) and any request parameter is always assigned through parameters, your app is not vulnerable. If you ever mix request parameters with SQL queries as string like in the second example, your application will be vulnerable to SQL injection.
So just to clarify: any Rails method call is secure against SQL injection if you are using ActiveRecord. You only have to worry when you write parts of SQL statements yourself as strings and incorporate request parameters into that string. The above example with LIKE is somewhat special, you usually do not need to create SQL strings yourself with an ORM like ActiveRecord.
I have an application in which I'd like to accept a user supplied SQL query from a front-end query builder (http://querybuilder.js.org/). That query eventually needs to make it's way to running in a postgres database to return a subset of data.
The query builder linked above can export SQL or a mongo query. I imagine using the mongo query is relatively safe, since I can add to it simply on the server:
query.owner_of_document = userId
to limit results (to documents owned by the user).
Whereas the SQL statement could potentially be hijacked in an injection attack if someone attempts to store a malicious string of SQL for execution.
Is directly accepting SQL from a client bad practice? How can I ensure the supplied SQL is safe?
Thanks!
Why do you need to accept an entire SQL statement?
Can you accept only parameters and then run a pre defined query?
There are loads of questions/answers on SO relating to SQL injection and using parameters is a first step in avoiding injection attacks, such as "Are Parameters really enough to prevent Sql injections?"
But I think this answer to a different question sums things up well:
Don't try to do security yourself. Use whatever trusted, industry
standard library there is available for what you're trying to do,
rather than trying to do it yourself. Whatever assumptions you make
about security, might be incorrect. As secure as your own approach may
look ... there's a risk you're overlooking something and do you
really want to take that chance when it comes to security?
Im designing a UWP app that uses an SQLite database to store its information. From previous research I have blearnt that using the SQLite function SQLiteConnection.Update() and SQLiteConnetion.Insert() functions are safe to use as the inputs are sanitised before entering in the database.
The next step I need to do is sync that data with an online database - in this case SQL Server - using a service layer as my go between. Given that the data was previously sanitised by the SQLite database insert, do I still need to parameterise the object values using the service layer before they are passed to my SQL Server database?
The simple assumption says yes because, despite them being sanitised by the SQLite input, they are technically still raw strings that could have an effect on the main database if not parameterised when sending them there.
Should I just simply employ the idea of "If in doubt, parameterise" ?
I would say that you should always use SQL parameters. There are a few reasons why you should do so:
Security.
Performance. If you use parameters the reuse of execution plans could increase. For details see this article.
Reliability. It is always easier to make a mistake if you build SQL commands by concatenating strings.
I was wondering if it is possible to have my asp code set flags for my sql database? Although if you have a better suggestion for what to do to avoid a sql injection through the address bar I will take that too.
Basic steps to prevent sql injection attacks are:
Parametrize your queries; that is, do things like:
insert into tables (column, colum2, column) values (?,?,?)
And have your code pass parameters to the query.
Use stored procedures if you can, and fit well your situation (with one caveat - 3rd point below).
If you use stored procs, don't use dynamic SQL inside them or that will expose you again to sql injection attacks. What I mean by that is to avoid concatenating strings inside the stored proc in order to construct your statements.
Validate user input (both, client and server side - never trust javascript validation)
I think following those 4 points will make your application immune to sql injection attacks.
I recommend you also read the article posted by jdavies below. It gives some additional useful information.
Take a look at the following Microsoft article, which discusses exactly what you require, in depth and for different data access strategies.
How To: Protect From SQL Injection in ASP.NET
Is there any way to confirm that a particular breach of security was done through SQL injection?
There is no easy way here, but if you have the enabled the SQL server you use to log every single sql statement, here is what I would do.
Normally, when I SQL inject somewhere, i use one of these as my always true statement for passing throgh the Where clause, after ending the former string.
1=1
0=0
both being used as :
blahblahblah' or 1=1 --
You would not use this clauses in everyday code. So if you spot one of these in your history, well, it is a high candidate. Test the sql history to find :
(space)(number)(optional spaces)(equal)(optional spaces)(same number)(space)
Keep in mind that is heuristical, and will not always work, but could be the only way to give a hint after it had happened . Also, if you are in doubt about SQL injection, you should check the code for string concatenation and use of parameters.
after the attack has already happened? no. there isn't.
you'll have to check all your sql serevr access point for potential risk.
tere are some tools you can use. Check here under SQL Injection tools section.
SQL injection can happen any time you pass a query back to the database.
SQL Injection
Use mod_security to log POST requests and install an Intrusion Detection System to log/stop suspicious activity from now on. Logging every SQL request is an overhead if you are just looking for the breach points.
There are open source alternatives for IDS these days. I use PHPIDS for all my PHP applications.
Only one reliable way is probably analysing the SQL log files. Those should be done by a DBA who can spot things quickly as the size of logs would be huge.
It is better to prevent those.
There are some tools for that but the best one is the brain of the developer.
Stick with one simple rule - always use parameters when generating SQL query.
Just do the code review and if you find string cocatenations - that is first and highly possible place for SQL Injection.
You can log all http requests and check the requested pages for GET/POST sql injection tryouts.