I'm working on a PHP MSSQL project that is using the sqlsrv driver.
What's the best way to stop SQL injection attacks? I need something like mysql_real_escape_string() but for sqlsrv driver.
If you use it like this, quoting is automatic:
$sql = "exec usp_cis_upd
#key = ?,
#value = ?";
$params = array(
$key,
trim($_POST["value"]));
$stmt = sqlsrv_query($dbh, $sql, $params);
The best way is not to write your SQL so that you need to use an analogue of mysql_real_escape_string(), which you would do by using placeholders for the values and then passing the variables (that would otherwise have been handled by mysql_real_escape_string()) when you execute the statement or open the cursor or whatever.
Failing that, look at the output of mysql_real_escape_string(); it might be appropriate for MS SQL Server too. It depends on how it does the escaping (and what escaping it does).
Related
I have recently installed SphinxSearch 3.1.1 on Ubuntu 18 and am currently creating a snippet of code using PHP 7.2. I am having trouble making bindParam work.
Here is my code:
$mytest = "hello";
$query = $conn->prepare("SELECT *, weight() FROM test WHERE MATCH('\"#title :mytest \"/1')");
$query->bindParam(':mytest', $mytest, PDO::PARAM_STR);
$query->execute();
When I try to execute it, result is empty.
However, when I try to directly put $mytest inside the statement, I get the expected result
$query = $conn->prepare("SELECT *, weight() FROM test WHERE MATCH('\"#title". $mytest ."\"/1')");
Does this mean, sphinx does not support bindParam within the MATCH() function? Or am I missing something else here.
Note from http://php.net/manual/en/pdo.prepare.php
Parameter markers can represent a complete data literal only. Neither part of literal, nor keyword, nor identifier, nor whatever arbitrary query part can be bound using parameters.
ie you trying to bind inside a string literal. In the practical sense PHP (or the mysql server) wll add the ' around the value to make the statement.
... In effect would end up with sphinxql query of:
SELECT *, weight() FROM test WHERE MATCH('"#title 'hellow' "/1')
which is clearly wrong!
Instead bind the whole string literal.
$query = $conn->prepare("SELECT *, weight() FROM test WHERE MATCH(:mytest)");
$query->bindParam(':mytest', '"#title '.$mytest.'"/1', PDO::PARAM_STR);
Although that looks like an invalid Sphinx 'extended syntax' query, The #field qualifer, should be outside the quorum,
$query->bindParam(':mytest', '#title "'.$mytest.'"/1', PDO::PARAM_STR);
I'm using squeel gem in my project, and I have code something like this :
def self.search(query)
return self.scoped if query.blank?
self.joins(:supplier).where{lower(supplier.supplier_name).like_any(["%#{query}%"])}
end
My questions is this code vulnerable to SQL injection? And how do I fix it? I tried to do sanitize(query) but it just adds extra set of quotes and the SQL statement doesn't get generated appropriately
UPDATED:
Squeel will automatically escape strings, so your query is fine and won't open you up to injection. See question about sql injection - Squeel - Github
OLD (INCORRECT) ANSWER:
This is the active record version
Someone correct me if i'm wrong, but since you are passing in #{query} as a STRING and not an argument, then you are opening yourself up to injection. See the docs for passing in arguments
Using arguments will escape the 'query' STRING
Your query using arguments:
self.joins(:supplier).where{lower(supplier.supplier_name).like_any(["%"+?+"%"], query)}
I am trying to avoid a sql injection. This topic has been dealt with in Java (How to prevent query injection on Google Big Query) and Php.
How is this accomplished in App Scripts? I did not find how to add a parameter to a SQL statement. Here is what I had hoped to do:
var sql = 'SELECT [row],etext,ftext FROM [hcd.hdctext] WHERE (REGEXP_MATCH(etext, esearch = ?) AND REGEXP_MATCH(ftext, fsearch = ?));';
var queryResults;
var resource = {
query: sql,
timeoutMs: 1000,
esearch='r"[^a-zA-z]comfortable"',
fsearch='r"[a-z,A-z]confortable"'
};
queryResults = BigQuery.Jobs.query(resource,projectNumber);
And then have esearch and fsearch filled in with the values (which could be set elsewhere).
That does not work, according to the doc.
Any suggestions on how to get a parameter in an SQL query? (I could not find a setString function...)
Thanks!
Unfortunately, BigQuery doesn't support this type of parameter substitution. It is on our list of features to consider, and I'll bump the priority since it seems like this is a common request.
The only suggestion that I can make in the mean time is that if you are building query strings by hand, you will need to make sure you escape them carefully (which is a non-trivial operation).
is there any sql injection protection in typo framework?
Or I have to take care by myself of building a query?
I found prepare_SELECTqueryArray, but there is no example how it should look.
My TYPO3 version is 4.7. And this prepare_SELECTqueryArray I found on site with TYPO3 v.6.1.
Prepared Statements are available at least in TYPO3 4.5 as you can see here [1] and [2]
A Prepared query could look like this
$preparedQuery = $this->link->prepare_SELECTquery('fieldblob,fieldblub', $table, 'id=:id', '', '', '', array(':id' => 1));
$preparedQuery->execute();
$result = $preparedQuery->fetch();
or
$preparedQuery = $this->link->prepare_SELECTquery('fieldblob,fieldblub', $table, 'id=:id');
$preparedQuery->bindValues(array(':id' => 1));
$preparedQuery->execute();
$result = $preparedQuery->fetch();
[1] https://github.com/TYPO3/TYPO3.CMS/blob/TYPO3_4-5/t3lib/class.t3lib_db.php
[2] https://github.com/TYPO3/TYPO3.CMS/blob/TYPO3_4-5/t3lib/db/class.t3lib_db_preparedstatement.php
On many places values are quoted automatically. Within the prepare_* functions, all parameters are quoted by default.
If you use exec_* querys, you need to escape values in where part on your own. Use $GLOBALS['TYPO3_DB']->fullQuoteStr($value, $tablename) for that.
Be aware, that you can create SQL-Injections with TypoScript too. If you use CONTENT-Object you can insert GET/POST Data into the where-clause. Use intval or select.markers for creating SQL-Injection save querys.
How to output sql statement right before it's launched?
To check all placed data inside prepared statement.
Zend_Db doesn't have a mechanism itself to output the sql statements that it generates. What you can do is modify the public method "query" in Zend/Db/Adapter/Abstract.php(line 445 in 1.10.6) to output the $sql local variable. The query method is called by both the update and insert methods.
There is actually a way to output the SQL it generates
$select = $db->select()->from('elements')
->where('id = ?', $this->_Id);
$sql = $select->__toString();
echo $sql;
You can also use:
echo (string) $select;