This question already has answers here:
How can sanitation that escapes single quotes be defeated by SQL injection in SQL Server?
(6 answers)
Closed 3 years ago.
Hello I am going through some SQL injection examples and I have the following scenario:
In this example, aware of the risk of SQL injection, the developer decided to block single quotes ' by removing any single quote ' in the query. However, there is still a way to break out of the SQL syntax and inject arbitrary SQL.
To do so, you need to think of the query:
SELECT * FROM users WHERE username='[username]' and password='[password]'
The problem here is that you cannot, in theory, break out of the single quotes ' since you cannot inject any quote. However, if you inject a back-slash \, the second ' in the query (the one supposed to finish the string [username] will be escaped and will be closed by the third one (the one supposed to start the string [password].
Doesn't this mean that if I input a "\" on the username field it will automatically break the query? and look something like
SELECT * FROM users WHERE username='[username] and password=' ..
Am I missing something ? Should I provide the backslash in another way?
Ok I have found the answer:
The username should be : \
and password : or 1#
Then the query will look something like this
SELECT * FROM users WHERE username = '\' AND password=' or 1#
Related
This question already has answers here:
When to use single quotes, double quotes, and backticks in MySQL
(13 answers)
Closed 2 years ago.
I am working on a project where another developer created a table with column names like 'Business Name'. That is a space between two words. If I run a SELECT statement with 'Business Name' it says there is no column with name 'Business'.
How can I solve this problem?
Generally the first step is to not do that in the first place, but if this is already done, then you need to resort to properly quoting your column names:
SELECT `Business Name` FROM annoying_table
Usually these sorts of things are created by people who have used something like Microsoft Access and always use a GUI to do their thing.
If double quotes does not work , try including the string within square brackets.
For eg:
SELECT "Business Name","Other Name" FROM your_Table
can be changed as
SELECT [Business Name],[Other Name] FROM your_Table
You need to use backtick instead of single quotes:
Single quote - 'Business Name' - Wrong
Backtick - `Business Name` - Correct
To each his own but the right way to code this is to rename the columns inserting underscore so there are no gaps. This will ensure zero errors when coding. When printing the column names for public display you could search-and-replace to replace the underscore with a space.
I got here with an MS Access problem.
Backticks are good for MySQL, but they create weird errors, like "Invalid Query Name: Query1" in MS Access, for MS Access only, use square brackets:
It should look like this
SELECT Customer.[Customer ID], Customer.[Full Name] ...
I think double quotes works too:
SELECT "Business Name","Other Name" FROM your_Table
But I only tested on SQL Server NOT mySQL in case someone work with MS SQL Server.
This question already has answers here:
How to escape ampersand in TOAD?
(3 answers)
Closed 3 years ago.
I've seen a bunch of related posts, but none yet that resolve my specific question.
In Oracle SQL I need to do something like this:
SELECT field1 "Eggs&Cheese"
FROM table1;
But it reads the &Cheese and wants to do parameter substitution. I just want the field name to be Eggs&Cheese
I saw this post Escape ampersand with SQL Server, but Oracle does not like the bracket [] syntax.
And also Escaping ampersand character in SQL string, but that is escaping the ampersand in a value string, not a label string.
The substitution is related to tool you are using and has nothing to do with column alias.
db<>fiddle demo
Depending on the tool you could disable it like "set define off".
Related: Set define off not working in Oracle SQL Developer & How to escape ampersand in TOAD?
You have to set the escape. Works in Oracle SQL Developer.
set escape \
SELECT field1 "Eggs\&Cheese" FROM table1;
After your work is done you can set it off.
set escape off
I am writing a SQL program in Delphi 7 and came across a problem.
If you add an SQL command you have to use ' to indicate it is a Variable or String, but I want to build up my SQL statement because it is coming from different If statements and thus have to build it up. Therefore, I wanted to know if anyone knows a trick to add a ' into a string.
Don't make the same mistake like many before you and lookup parametrized queries or else you will be open for SQL injection attacks. If you need to include string constants in your query then use 2 single quotes ('') or the QuotedStr() function from the SysUtils unit.
Try two quotes to represent one i.e. ''
This question already has answers here:
What is the question mark's significance in MySQL at "WHERE column = ?"?
(4 answers)
What does a question mark represent in SQL queries?
(6 answers)
Closed 9 years ago.
I was just surfing the net and found a query something like:
sql = "select milk_rate from special_milk_rate
where code_producer_id=? and effective_from <= ?
and effective_till >= ?"
what exactly this query means i means what is the use of ? in this statement.
and one thing more what is use of & in sql.
This usually implies a prepared statement, where the parameters are filled in later. (see e.g. http://en.wikipedia.org/wiki/Prepared_statements#Parameterized_statements).
what exactly this query means i means what is the use of ? in this statement.
The question marks are for parameters.
and one thing more what is use of & in sql.
& is a bitwise AND operator in sql
The question marks are supposed to contain the actual parameters.
E.g.
"select milk_rate from special_milk_rate
where code_producer_id=2 and effective_from <= '20101231'
and effective_till >= '20110124'"
& usually denotes a variable or substitution value which you may be prompted for at run time
Here is nice article:
http://publib.boulder.ibm.com/infocenter/idshelp/v10/topic/com.ibm.sqls.doc/sqls610.htm#sii-02prep-18104
In some statements, parameters are
unknown when the statement is prepared
because a different value can be
inserted each time the statement is
executed. In these statements, you can
use a question-mark ( ? ) placeholder
where a parameter must be supplied
when the statement is executed.
Question marks are found in prepared statements, meaning it is parametrized and can be called again and again without having to reconstruct the whole sql statement, just by changing the parameters. Some frameworks use those that together with SqlCommands. Those encapsulate escaping and prevent sql injection attacks.
Some frameworks also allow named parameters.
This question already has answers here:
How to anticipate and escape single quote ' in oracle
(2 answers)
Closed 7 years ago.
I have a database with names in it such as John Doe etc. Unfortunately some of these names contain quotes like Keiran O'Keefe. Now when I try and search for such names as follows:
SELECT * FROM PEOPLE WHERE SURNAME='O'Keefe'
I (understandably) get an error.
How do I prevent this error from occurring. I am using Oracle and PLSQL.
The escape character is ', so you would need to replace the quote with two quotes.
For example,
SELECT * FROM PEOPLE WHERE SURNAME='O'Keefe'
becomes
SELECT * FROM PEOPLE WHERE SURNAME='O''Keefe'
That said, it's probably incorrect to do this yourself. Your language may have a function to escape strings for use in SQL, but an even better option is to use parameters. Usually this works as follows.
Your SQL command would be :
SELECT * FROM PEOPLE WHERE SURNAME=?
Then, when you execute it, you pass in "O'Keefe" as a parameter.
Because the SQL is parsed before the parameter value is set, there's no way for the parameter value to alter the structure of the SQL (and it's even a little faster if you want to run the same statement several times with different parameters).
I should also point out that, while your example just causes an error, you open youself up to a lot of other problems by not escaping strings appropriately. See http://en.wikipedia.org/wiki/SQL_injection for a good starting point or the following classic xkcd comic.
Oracle 10 solution is
SELECT * FROM PEOPLE WHERE SURNAME=q'{O'Keefe}'
Parameterized queries are your friend, as suggested by Matt.
Command = SELECT * FROM PEOPLE WHERE SURNAME=?
They will protect you from headaches involved with
Strings with quotes
Querying using dates
SQL Injection
Use of parameterized SQL has other benefits, it reduces CPU overhead (as well as other resources) in Oracle by reducing the amount of work Oracle requires in order to parse the statement. If you do not use parameters (we call them bind variables in Oracle) then "select * from foo where bar='cat'" and "select * from foo where bar='dog'" are treated as separate statements, where as "select * from foo where bar=:b1" is the same statement, meaning things like syntax, validity of objects that are referenced etc...do not need to be checked again. There are occasional problems that arise when using bind variables which usually manifests itself in not getting the most efficient SQL execution plan but there are workarounds for this and these problems really depend on the predicates you are using, indexing and data skew.
Input filtering is usually done on the language level rather than database layers.
php and .NET both have their respective libraries for escaping sql statements. Check your language, see waht's available.
If your data are trustable, then you can just do a string replace to add another ' infront of the ' to escape it. Usually that is enough if there isn't any risks that the input is malicious.
I suppose a good question is what language are you using?
In PHP you would do: SELECT * FROM PEOPLE WHERE SURNAME='mysql_escape_string(O'Keefe)'
But since you didn't specify the language I will suggest that you look into a escape string function mysql or otherwise in your language.
To deal quotes if you're using Zend Framework here is the code
$db = Zend_Db_Table_Abstract::getDefaultAdapter();
$db->quoteInto('your_query_here = ?','your_value_here');
for example ;
//SELECT * FROM PEOPLE WHERE SURNAME='O'Keefe' will become
SELECT * FROM PEOPLE WHERE SURNAME='\'O\'Keefe\''
Found in under 30s on Google...
Oracle SQL FAQ