Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 11 years ago.
Improve this question
I am always interested in hacking, I understand the concept of SQL injection and cross site scripting. However, the thing I don't know is how to detecting a possible SQL injection. I have checked some books, but I didn't get too much information. Do hackers do the detection work by hand or they have smarter automatic tools?
So, I'm thinking of writing a simple tool to do automatic injection check (using qwebkit). I want to capture the http requests before sending them and replace some form data of the http header with SQL injection commands. The program checks the http response and compare it with a normal response and reports any difference.
The thing is that I have never found a SQL injection myself, so is this idea valid?
Say, if I successfully upgrade myself to administrator of certain website, the returned http response should look normal. So I shouldn't be able to automatically report that with my program?
You probably want to take a look at the SQL Injection Cheatsheet. It lists the tricks hackers will usually try to determine whether a particular input field is exploitable and then to extract data from the database.
Related
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 2 years ago.
Improve this question
I created an AWS Lambda function that fetches data from an RDS (Postgres) and returns it as json via an API Gateway (url). The url accepts 3 GET parameters which are used to filter the data based on the user needs.
My question is, how safe is (in terms of attacks like SQL Injection etc.) to share the URL to developers who want to see my data? The idea is to use this infrastructure as a temporary API alternative, to gather up usage feedback.
My question is, how safe is (in terms of attacks like SQL Injection etc.) to share the URL to developers who want to see my data? The idea is to use this infrastructure as a temporary API alternative, to gather up usage feedback.
If you're trying to mitigate SQL injection specifically, you just need to ensure that your code makes use of parameterized queries. If you're concatenating strings to build a SQL query, you're likely vulnerable to SQL injection. Even with character filtering and escaping you can often still wind up vulnerable to SQL injection, so you should make sure to use a library that supports parameterized queries out of the box.
Based off your history, it seems you use PHP. For Postgres PHP has pg_prepare which is safe from SQL injection: https://www.php.net/manual/en/function.pg-prepare.php
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 6 years ago.
Improve this question
I want to generate a file that contains a stored procedure query and I want to share it, but I need to protect it from reading. This query will be used by another person in his own database and server.
I want to give a SP to another person to use in a different environment but doesn't want them to be able to read the TSQL in the SP.
How can I do that?
You can use the WITH ENCRYPTION clause. However, it is known to be ineffective and easily broken, and there are third party tools available that will let your client break it.
If you want to do it anyway, a tutorial can be found here.
If you use WITH ENCRYPTION along with a thoughtfully constructed EULA, your client should not accidentally see the code, and if he purposefully goes to the trouble to crack your code encryption, you will have civil recourse (i.e. you can sue them).
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 7 years ago.
Improve this question
When I filled my database with about 25K records, I noticed that my application started working slowly. I've checked out the logs and realize that instead of one SQL request ActiveRecord is performing more that eight. I have rewritten the code to use one SQL request, and it has speeded my application up minimum in two times.
So, is it correct to write raw SQL requests in parts of application that is heavily loaded?
Some times you need to eager load your data. Other times you really need to write raw SQL queries
It is sometimes correct to use raw SQL, as ActiveRecord and Arel do not easily allow the full SQL syntax to be used, and sometimes it is helpful to just express a scope as a raw SQL fragment, but it is not correct for the first response to a performance problem to be the use of raw SQL.
It would be better to explore eager loading and joining methods, and other options, before using raw SQL, as you may be making your application less flexible to changes in future.
If you post the code that is causing the problem and the SQL being generated by it, then you may get useful advice on how to avoid raw SQL.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 8 years ago.
Improve this question
I have read the posts about sql injection and there I saw that they use the query strings of sites to hack them. I want to know is it safe to use query strings or not and how to make my site stable against sql injection?
A sql injection usually comes from bugs in code that runs server side and submit sql queries to a database. Many bugs in the way you implement this can result to a sql injection. You can read values from a url, but before you plug these values to a sql query you should make some checking.
In order to answer to your question, query strings are safe the way you use the variables that are in them may be not.
As for making your site not vulnerable to them you should implement all your data access layer code (calling of stored procedures, of CRUD operations, of functions etc.) not vulnerable to them. For instance if you use queries, in which you pass parameterized variables then you can avoid a great deal of sql injections. Please take a look here
https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet
If you build your SQL statements from untrusted data, such as query strings, then you are vulnerable to SQL injection.
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 10 years ago.
Improve this question
This is not a programming question but I have no idea why I did it.
Yesterday, I was going through a tutorial about ethical hacking and found a tutorial about SQL injection. It says, find an admin login.asp site and enter as follows:
Admin: Admin
Password: ' or '1'='1
I really don't know what is that and how it works. But, when I tried the same for a website, I was shocked by the result. It gave me a warning like "... your IP address ip xxx.xxx.xxx.xxx and you may be prosecuted for this action ... etc" I was really scared by the warning. I had no intention to do anything, I was just following the tutorial.
Can anyone tell me what will happen to me? I am really worried about this.
To sum up what happened:
You attempted to inject SQL through whatever method you tried.
Their website was smart enough to recognize your input.
They generated an automated threat and sent it back to your browser.
I doubt you have to be worried. Their website most likely gets these kinds of attacks quite often and the amount of money they need to spend to prosecute is pretty great and that is only IF it is considered illegal in your region.
You should send them an email where you describe that you wanted to study techniques to avoid SQL injection attacks on your side. You should apologize and I'm sure there will be no problems.