SELECT verlog.bearerid, detail.snum
FROM verlog
INNER JOIN detail
ON verlog.txnid = detail.txnid
WHERE verlog.bearerid ='"+ TextBox1.Text +"'
is this the right way to obtain the value of a text box and use it in a where clause?
By constructing the statement in this way you open yourself up to SQL injection attacks in which users may be able to run additional sql against your database.
You can protect against this by using parameterised sql. Then pass both the query and the parameters when executing.
SELECT verlog.bearerid, detail.snum
FROM verlog
INNER JOIN detail
ON verlog.txnid = detail.txnid
WHERE verlog.bearerid = #bearerid
Further details can be read here: http://www.csharp-station.com/Tutorial/AdoDotNet/lesson06
Alternatively you can use an ORM which will handle this for you.
I seggest not to write scripts as you mentioned; that would pave the way of injection. If not using any ORM technology such as Entity framework which in turn calls for its own security issues as well, always stick into parametric ado.net queries. Look at this link
Related
We have to work with older version of an ERP system (1993).
It has multiple modules. These modules have windows(tabs). Tabs have cols (obviously).
In this tabs the USER can make a "new column" -> it's like a subquery. Query can be used only in parentheses ().
I'm just curious, is it possible to make an injection by user.
e.g.:
--basic query (self join)
(select i.my_col from my_table i where my_pk = i.pk)
--illlustrating
(select replace(i.my_col, 'UPDATE...') from my_table i where my_pk = i.pk)
Is there any way to make the second query workable ? I mean, can the user somehow update columns whit this method ?
How can i test it ?
Dynamic values can be handled for where condition through preparedStatement and setParameter however unfortunately that option is not available for dynamic column selection.
The best thing can be done is to have all possible/applicable column names before you pass to the query.
// check if my_col is possible values else throw the error.
(select replace(i.my_col, 'UPDATE...') from my_table i where my_pk = i.pk)
Avoiding SQL injection is down to the mechanism which turns the user's input into executable statements. The actual example you posted won't run, but I can think of ways it might be possible to hijack the SELECT to run malicious DML. It depends on the framework: given that the underlying software is ancient I suspect it might be extremely vulnerable.
Generally speaking, if you're worried about SQL Injection you should investigate using Oracle's built-in DBMS_ASSERT package to verify your SQL strings. Find out more
I am using Spring Boot with MyBatis. I have the following query in one mapper XML file.
<select id="someFunction" resultMap="someResultMap">
SELECT *
FROM p LEFT JOIN anotherDatabase.table AS q ON p.id = q.id
</select>
Actually "anotherDatabase" is hard-coded in my query because I do NOT want to add another data source for only this query. But how can I make this "anotherDatabase" name dynamically (maybe configure it in some properties file) as it may change in different environment deployed?
Though ugly solution, you can use a parameter: not a traditional JDBC/SQL parameter #{schema} but a direct parameter ${schema}. See the dollar sign ($) there?
When using a direct parameter ${param} you can insert whatever you want into the SQL. Even a entire whole SQL statement if you wish. Use it with care and only as a last resort.
Please carefully consider this insertion of direct parameters into the SQL is susceptible of SQL injection. You need to carefully control the value of the schema property/parameter, so it does not come from the user or any external source. If you do it like this, it will be safe to use.
However, a cleaner solution is to use a separate datasource. The only drawback is you may need to enable two-phase commit if you need transactions that emcompass tables from both datasources.
I am getting all the content from the table using following queries
SqlCmd.CommandText = "Select * from Product";
SqlCmd.connection = myConnection();
myConnection.open();
reader = sqlCmd.ExecuteReader();
As far I know when we use input parameters in select then there is possible attack of SQL injection. So how do we secure when we are not using where clause.
Can we prevent SQL injection using following query.
SqlCmd.CommandText = "Select Name from Product";
Injection occurs when placing variables in a query that user's can put code into. Users overwrite your statements and use their own (injection of SQL code). Your select query does not meet that criteria since users cant interact with it.
There should be some functions in ASP.net that allow you to premake statements. I don't use asp.net but a google search should help you know that your in the right direction.
As I read in a lot of articles, when I use JPA/Hibernate query it is good to set parameters in my queries so SQL injection is avoided. Like:
select user from User user where user.name = :name and user.surname = :surname
My problem is that in some cases I need to use native query when I create my query.
I will use my entity manager and createNativeQuery. But in this case the parameters will be positional. Like:
select * from users where user_name = ? and user_surname = ?
Then in my query I will use the method setParameter(1, "name") etc. So is this case "sql injection proof" like when in the parameterized query?
if you do not use string operations for building your query like
"SELECT foo FROM bar Where id="+myParameter+" more sql ..."
, then you will not have any vulnerabilities.
Currently (community correct me if I am wrong) no vulnerabilities exist within the latest PDO database abstraction layer.
However testing your queries for known and unknowns while sanitizing and filtering input will help eliminate the possibility of an injection in the event of a zero day exploit.
I currently use a combination of filtering input, charset expectations, stored procedures and strict requirements on their arguments prior to any and all dynamically created queries
I am a SQL Server DBA for a company that sells an ASP.NET MVC3 application that uses LINQ and Entity Framework 4 for all database access. When I find an inefficient query in my SQL Server's plan cache that was generated by LINQ, I would like to be able to find that LINQ statement in the source code so that I can optimize it. What is the best way to find the LINQ that generated a given SQL statement?
For example, is there any way to put an entry in a config file or decorate the code somehow so that the class and method name or the LINQ statement itself are included as comments in the generated SQL?
The commercial tools ORM Profiler, Entity Framework Profiler or Hugati Query Profiler will both give you a stack trace for the methods which generated the SQL. That makes it fairly easy to find the LINQ in code, though it isn't displayed directly.
These tools also have the advantage that they make it easy to find inefficient queries amongst the many other SQL statements executed by the app.
Although it is not a free tool, this may provide the information you need:
http://efprof.com/
There is also a less expensive tool described here, which I have not used, but it looks very promising:
http://huagati.blogspot.com/2010/06/entity-framework-support-in-huagati.html
http://www.huagati.com/L2SProfiler/
I bet Entity Framework Profiler (http://efprof.com/) would help you out. The workflow is very different from what you asked for (which would be pretty cool BTW). It is a good tool, and is worth a look even if it's not your final solution.
Good luck!
If you have access to the ASP.NET code where the LINQ code is you can more or less know which query you are looking for, copy it into a freeware tool called LINQPad and run it directly there to get the generated SQL statements. http://www.linqpad.net/
You need first get the LINQ queries on your .net code, create a connection to your datasource, paste the Linq code in new queries and run them. You will get the SQL Query generated from the LINQ code.
For example:
from e in ETUSERs
where e.LoginName.Contains("a")
orderby e.LoginName
select e
SQL Results Tab:
-- Region Parameters
DECLARE #p0 VarChar(1000) = '%a%'
-- EndRegion
SELECT [t0].[UserID], [t0].[UsrFirstName], [t0].[UsrLastName], [t0].[LoginName], [t0].[Location], [t0].[Password], [t0].[UsrEmail], ...
FROM [ETUSER] AS [t0]
WHERE [t0].[LoginName] LIKE #p0
ORDER BY [t0].[LoginName]
This is probably not exactly what you are looking for, but it is worth knowing about this tool since it is very helpful to quickly test LINQ queries. There you can quickly edit and run to improve the code without recompiling the whole stuff.
I don't think you can modify the generated SQL easily but what you can do is to get the generated SQL before sending the query to the database.
So you can log every query in a separate textfile with timestamp and source code context information. But that means to modify each place in your source where LINQ queries are sent to the database. Maybe there is an extension point somewhere in the DataContext class for simplifying this.
Anyway here is the code to get the corresponding sql query for a LINQ query:
YourDataContext dc = new YourDataContext();
IQueryable<YourEntityClass> query =
from e in dc.YourEntities
where ...
select e;
string command = dc.GetCommand(query).CommandText;