Query strings safe or not? [closed] - sql

Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 8 years ago.
Improve this question
I have read the posts about sql injection and there I saw that they use the query strings of sites to hack them. I want to know is it safe to use query strings or not and how to make my site stable against sql injection?

A sql injection usually comes from bugs in code that runs server side and submit sql queries to a database. Many bugs in the way you implement this can result to a sql injection. You can read values from a url, but before you plug these values to a sql query you should make some checking.
In order to answer to your question, query strings are safe the way you use the variables that are in them may be not.
As for making your site not vulnerable to them you should implement all your data access layer code (calling of stored procedures, of CRUD operations, of functions etc.) not vulnerable to them. For instance if you use queries, in which you pass parameterized variables then you can avoid a great deal of sql injections. Please take a look here
https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet

If you build your SQL statements from untrusted data, such as query strings, then you are vulnerable to SQL injection.

Related

Sharing API Gateway URL with GET variables to testers [closed]

Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 2 years ago.
Improve this question
I created an AWS Lambda function that fetches data from an RDS (Postgres) and returns it as json via an API Gateway (url). The url accepts 3 GET parameters which are used to filter the data based on the user needs.
My question is, how safe is (in terms of attacks like SQL Injection etc.) to share the URL to developers who want to see my data? The idea is to use this infrastructure as a temporary API alternative, to gather up usage feedback.
My question is, how safe is (in terms of attacks like SQL Injection etc.) to share the URL to developers who want to see my data? The idea is to use this infrastructure as a temporary API alternative, to gather up usage feedback.
If you're trying to mitigate SQL injection specifically, you just need to ensure that your code makes use of parameterized queries. If you're concatenating strings to build a SQL query, you're likely vulnerable to SQL injection. Even with character filtering and escaping you can often still wind up vulnerable to SQL injection, so you should make sure to use a library that supports parameterized queries out of the box.
Based off your history, it seems you use PHP. For Postgres PHP has pg_prepare which is safe from SQL injection: https://www.php.net/manual/en/function.pg-prepare.php

Is it correct to use raw SQL requests in some cases? [closed]

Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 7 years ago.
Improve this question
When I filled my database with about 25K records, I noticed that my application started working slowly. I've checked out the logs and realize that instead of one SQL request ActiveRecord is performing more that eight. I have rewritten the code to use one SQL request, and it has speeded my application up minimum in two times.
So, is it correct to write raw SQL requests in parts of application that is heavily loaded?
Some times you need to eager load your data. Other times you really need to write raw SQL queries
It is sometimes correct to use raw SQL, as ActiveRecord and Arel do not easily allow the full SQL syntax to be used, and sometimes it is helpful to just express a scope as a raw SQL fragment, but it is not correct for the first response to a performance problem to be the use of raw SQL.
It would be better to explore eager loading and joining methods, and other options, before using raw SQL, as you may be making your application less flexible to changes in future.
If you post the code that is causing the problem and the SQL being generated by it, then you may get useful advice on how to avoid raw SQL.

Easy migration from SQL Server to Oracle [closed]

Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 7 years ago.
Improve this question
I have a vb.net application working well over SQL Server 2008.
My sql requests are basic and simple, like select, insert into, update...
I'm not using any SQL Server sepcific commands or instructions.
Now I want to change my database server to Oracle, running on a Linux machine.
Is it possible??? Or I must re-write all my SQL requests?
This is a rather general question (perhaps "too broad" would apply). You definitely have some gotchas, even for simple statements:
SUBSTR() versus SUBSTRING()
VARCHAR2() versus VARCHAR()
INSTR() versus CHARINDEX()
|| versus + for string concatenation
LENGTH() versus LEN()
TRIM() versus LTRIM()/RTRIM()
SYSDATE versus GETDATE()
and so on.
There are also significant differences in syntax, for instance:
SQL Server allows joins in UPDATE, which Oracle does not.
Oracle limits resolution of correlated queries to a scope only only layer deep.
SQL Server has the APPLY keywords for certain types of joins.
Oracle DATE data type has a time component, but not SQL Server
This is by no means a comprehensive list. It is just suggestive that you will need to do some work to move between the databases. However, that work might be mostly cosmetic.

Difference between Script, Stored Procedure, T-SQL, PL/SQL [closed]

Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 8 years ago.
Improve this question
I'm getting really confused with all these terms. I used to attend a class called PL/SQL, then when I came out to work, I came across other terms like Stored Procedure, T-SQL and even script. They all look very similar to me, but exactly what are the differences between each of them? (if any)
Here's some rough definitions to explain the differences.
PL/SQL - a SQL variation specific to Oracle databases.
T-SQL (Transact-SQL) - a SQL variation specific to Microsoft (and Sybase) databases.
Stored Procedure - a set of SQL commands that is precompiled and stored on the server for reuse
Script - a set of SQL commands that is run ad-hoc (not precompiled / not meant for reuse)
There are more differences between Stored Procedures and Scripts (e.g. sprocs can have parameters, etc.) but that's the fundamental difference.
T-SQL is Microsoft's version of SQL. PL/SQL is Oracle's version of SQL. Both are ANSI SQL compliant, but contain additional capabilities that are not in the standard.
A Stored Procedure is a prepared SQL statement that is stored on the database server, and can be reused by calling it.
Script is basically code, but scripts are typically small, standalone programs that operate without the aid of a GUI. A Stored Procedure could properly be called a script.

what happened after a successful SQL injection? [closed]

Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 11 years ago.
Improve this question
I am always interested in hacking, I understand the concept of SQL injection and cross site scripting. However, the thing I don't know is how to detecting a possible SQL injection. I have checked some books, but I didn't get too much information. Do hackers do the detection work by hand or they have smarter automatic tools?
So, I'm thinking of writing a simple tool to do automatic injection check (using qwebkit). I want to capture the http requests before sending them and replace some form data of the http header with SQL injection commands. The program checks the http response and compare it with a normal response and reports any difference.
The thing is that I have never found a SQL injection myself, so is this idea valid?
Say, if I successfully upgrade myself to administrator of certain website, the returned http response should look normal. So I shouldn't be able to automatically report that with my program?
You probably want to take a look at the SQL Injection Cheatsheet. It lists the tricks hackers will usually try to determine whether a particular input field is exploitable and then to extract data from the database.