It's difficult to tell what is being asked here. This question is ambiguous, vague, incomplete, overly broad, or rhetorical and cannot be reasonably answered in its current form. For help clarifying this question so that it can be reopened, visit the help center.
Closed 11 years ago.
If I make sure only alpha-numerical characters are used in queries I should be free of any SQL injections, right?
SQL Injection Prevention CheatSheet
Bullet points:
Defense Option 1: Prepared Statements (Parameterized Queries)
...how all developers should first be taught how to write database queries.
Defense Option 2: Stored Procedures
...when implemented safely.
Defense Option 3: Escaping All User Supplied Input
...frail compared to using parameterized queries.
It's pretty difficult to write a useful query with only alpha-numeric characters. Use paramterized queries, don't look for a non-shortcut shortcut.
Technically, that's probably correct, since it would block using -- or similar trickery. Most platforms these days have much more robust methods for properly escaping input and keeping it from affecting the database in unintended ways, however.
Related
It's difficult to tell what is being asked here. This question is ambiguous, vague, incomplete, overly broad, or rhetorical and cannot be reasonably answered in its current form. For help clarifying this question so that it can be reopened, visit the help center.
Closed 9 years ago.
I am totally new to the subject of databases and I have only theoretical knowledge about it.I want to run the SQL commands I read about but totally clueless where to run it.The definition says SQL is a special purpose programming language.If so why doesn't it have a compiler?And if I have to install in a RDBMS on my computer to practice SQL, what is the one you would suggest for learners?Can SQL commands be run in all RDBMS?
I am totally despondent about it,utterly clueless.Please help me take the first step.Just a simple thing--Where on earth to run those SQL commands?
You can use http://sqlfiddle.com/ to test your queries. There you can chose a database (mysql, Oracle, Sql Server or other), generate test tables, fill them with test data and generate test queries to this data
It's difficult to tell what is being asked here. This question is ambiguous, vague, incomplete, overly broad, or rhetorical and cannot be reasonably answered in its current form. For help clarifying this question so that it can be reopened, visit the help center.
Closed 10 years ago.
I find that creating SQL tables tedious when starting to create a web app (ASP/Python/PHP).
Do you guys know any tools that makes creating tables quicker and faster and easier? Thanks in advance! :-)
In my opinion writing a CREATE TABLE statement is far less tedious than writing HTML pages.
The recommended approach is to use a ER design tool co create and define your database model. Most (if not all) ER designer can then create the necessary DDL statement directly from the model.
With this approach you also have a documentation of your database model which is always a good thing.
It depends on the tools/libraries you use to create your app.
If you use an ORM, many ORMs offer you the possibility to create the database with all tables automatically, according to the classes and mappings you defined in your application.
It's difficult to tell what is being asked here. This question is ambiguous, vague, incomplete, overly broad, or rhetorical and cannot be reasonably answered in its current form. For help clarifying this question so that it can be reopened, visit the help center.
Closed 11 years ago.
What is the purpose of table hints in SQL Server like NOLOCK and READUNCOMMITTED?
Please explain this with example.
Also why can't they be specified for tables modified by INSERT, UPDATE, or DELETE operations?
They allow you to set transaction isolation level on a table-by-table basis instead of for the entire query or connection.
They can also be used to trigger some features like minimal logging (use TABLOCK with the right trace flags set on an INSERT and it can be minimally logged).
As a rule it's a better idea to use connection-level settings.
As the commentor pointed out, Books Online has an excellent description (and samples) of Table Hints, including which hints can be used for which operations.
http://msdn.microsoft.com/en-us/library/ms187373.aspx
There is also a big fat caveat at the top of the page, which often goes unnoticed:
Caution Because the SQL Server query optimizer typically selects the
best execution plan for a query, we recommend that hints be used only
as a last resort by experienced developers and database
administrators.
While the accuracy of the optimizer in choosing the best plan can be debatable, the latter half of the warning is certainly true; don't use Table Hints unless you are sure that you need them, and that assurance typically only comes with experience.
It's difficult to tell what is being asked here. This question is ambiguous, vague, incomplete, overly broad, or rhetorical and cannot be reasonably answered in its current form. For help clarifying this question so that it can be reopened, visit the help center.
Closed 11 years ago.
I have worked on several rails applications and now I work on a very complex one, from the database side. A lots of nested models, several polymorphyc associations...
How you deal with that complexity ? How can I know that we are working in the good direction ? What about performance issues ?
Thansk for your opinions.
First of all, you need to estimate the performance of the queries that your application runs against the database. Then you can try to optimize the queries, for example, by adding some indexes. Maybe in some cases you will also need to consider denormalizing some data to get better performance.
Performance of the queries may also depend on your data size. If you have really big data set and queries are optimal, then you may consider introducing (distributed) caching. Or if data model allows that think of partitioning your database on several nodes to improve query performance.
But still the first step should be a setup of some SQL query performance monitoring.
You should consider a NOSQL solution such as MongoDB or CouchDB. Sometimes an RDBMS is not the right tool for the job.
http://www.mongodb.org/
http://couchdb.apache.org/
It's difficult to tell what is being asked here. This question is ambiguous, vague, incomplete, overly broad, or rhetorical and cannot be reasonably answered in its current form. For help clarifying this question so that it can be reopened, visit the help center.
Closed 12 years ago.
I want to know about SQL injection.
So, please help me.
Lots of information about SQL Injection on wikipedia, and xkcd has a very good example as well.
In general, if your application is using a SQL database, a SQL Injection attack is an attempt to use your program to pass dangerous values to the SQL database.
The best preventative measures are to never construct SQL strings without cleaning them up - the best way to do this is to use parameterized queries and widely used data access libraries.
Start here: google "sql injection".
You will see that there is plenty to read about it.
If you want to protect yourself against sql injection, you have to be a bit more specific, as the exact methods differ depending on the database and on the platform using the database.
It is the technique to manipulate the input to control your sql. Read more here is better for you
Attacks by Example
Wiki
Couple of places to get started:
OWASP: Lots of principals on secure web app design. Check the first entry of the Top 10 on injection
Injection for .NET developers: Details on what it is and how to protect against it if you're working with .NET.
It allow a attacker to tamper with existing data, destroy the data or make it otherwise unavailable, and in short become administrators of the database server...
This attack involves injecting SQL commands in the query input thus effecting predefined SQL commands exection.