It's difficult to tell what is being asked here. This question is ambiguous, vague, incomplete, overly broad, or rhetorical and cannot be reasonably answered in its current form. For help clarifying this question so that it can be reopened, visit the help center.
Closed 12 years ago.
I want to know about SQL injection.
So, please help me.
Lots of information about SQL Injection on wikipedia, and xkcd has a very good example as well.
In general, if your application is using a SQL database, a SQL Injection attack is an attempt to use your program to pass dangerous values to the SQL database.
The best preventative measures are to never construct SQL strings without cleaning them up - the best way to do this is to use parameterized queries and widely used data access libraries.
Start here: google "sql injection".
You will see that there is plenty to read about it.
If you want to protect yourself against sql injection, you have to be a bit more specific, as the exact methods differ depending on the database and on the platform using the database.
It is the technique to manipulate the input to control your sql. Read more here is better for you
Attacks by Example
Wiki
Couple of places to get started:
OWASP: Lots of principals on secure web app design. Check the first entry of the Top 10 on injection
Injection for .NET developers: Details on what it is and how to protect against it if you're working with .NET.
It allow a attacker to tamper with existing data, destroy the data or make it otherwise unavailable, and in short become administrators of the database server...
This attack involves injecting SQL commands in the query input thus effecting predefined SQL commands exection.
Related
It's difficult to tell what is being asked here. This question is ambiguous, vague, incomplete, overly broad, or rhetorical and cannot be reasonably answered in its current form. For help clarifying this question so that it can be reopened, visit the help center.
Closed 10 years ago.
Needed some advice as i am writing my first iOS application,
1. what is the best way(simplest) to link an app to a database and does the database have to be SQLite (the databse will be external ie. linked via the internet)? i have used mySQL before in MAMP,
I have read up on other post and they suggest complicated methods like via JSON etc, please provide a simple way and a book/guide/web site that could teach me your suggested method would be much appreciated too :)
SQLite is one of them.
However if your requirement is to share the database, you can go with mySQL or even Oracle etc.
JSON, xml are the tools that will help you to make a client server application.
Useful link:
http://jainmarket.blogspot.in/2009/05/iphone-sdk-tutorial-reading-data-from.html
SQLite is generally used for a local database (aka, on the device itself) through CoreData. But it seems like you have a remote MySQL database you want to connect to.
You should build some API that your iOS app talks to to get data from a database. Typically this is done over http which generates JSON in whatever server language of your choice (eg - python, ruby, php, etc).
For the iOS side, you'll probably use Apple's builtin features: NSURLConnection and NSJSONSerialization.
It's difficult to tell what is being asked here. This question is ambiguous, vague, incomplete, overly broad, or rhetorical and cannot be reasonably answered in its current form. For help clarifying this question so that it can be reopened, visit the help center.
Closed 10 years ago.
I have an access DB, which is split into a Backend and Frontend, that has c.a 100000 records in 60 tables.
I have this idea, that I can switch my Backend to a MSSQL Server Express.
I would like to know if it is worth the effort to attempt this idea. And which advantage do I have if my Backend is SQL Express and Front End access.
Thank you for your ideas
Definitely worth swapping to a version of SQL Server or MySQL. It can take a while to get the hang of once you have migrated from Access but using MS Sql Server will allow you to import tables easily and you'll have a more future proof application. Worked well for us
It depends on how many users are concurrently using your database and if your backend is located on a LAN or is a local database.
The number of records (100000) are not so much for Access to handle.
If your database is on a LAN location or if you have concurrent users, you should get some advantages moving to SqlServer, but some plumbing and rechecking of your code will be required.
Remember, Access is fast and easy to build application with, but, at its core, is a personal database adapted to work for low concurrency situations. Sometime (and I tend to blame the programmer instead of Access itself) it is not suitable for concurrency use. If your application is critical then, as with every database solution, a good disaster recovery plan and quick maintenance intervention time are mandatory.
It's difficult to tell what is being asked here. This question is ambiguous, vague, incomplete, overly broad, or rhetorical and cannot be reasonably answered in its current form. For help clarifying this question so that it can be reopened, visit the help center.
Closed 11 years ago.
If I make sure only alpha-numerical characters are used in queries I should be free of any SQL injections, right?
SQL Injection Prevention CheatSheet
Bullet points:
Defense Option 1: Prepared Statements (Parameterized Queries)
...how all developers should first be taught how to write database queries.
Defense Option 2: Stored Procedures
...when implemented safely.
Defense Option 3: Escaping All User Supplied Input
...frail compared to using parameterized queries.
It's pretty difficult to write a useful query with only alpha-numeric characters. Use paramterized queries, don't look for a non-shortcut shortcut.
Technically, that's probably correct, since it would block using -- or similar trickery. Most platforms these days have much more robust methods for properly escaping input and keeping it from affecting the database in unintended ways, however.
It's difficult to tell what is being asked here. This question is ambiguous, vague, incomplete, overly broad, or rhetorical and cannot be reasonably answered in its current form. For help clarifying this question so that it can be reopened, visit the help center.
Closed 11 years ago.
as the topic header shows my question is about Coding an online chess by VB.net.
I coded the chess game with all rules , now I designed a login form for it, but I don't know how to connect to a Database and send query , to check the User and pass.
I searched about connecting to a DB and I found something. but i didn't found anything about sending query.
I need a code that contains connecting to a DB and sending query for example about checking username and password to DB.
thanks.
Well, the simplest answer is to use what's called ADO.NET. It's basically a set of classes within the .NET Framework which are used to access a database. Depending on the database you use, there may be a built-in driver (MS SQL, Access, etc.) or you may need to use a 3rd party one (MySQL, PostgreSQL, etc.).
Here are a couple of examples. There are many more.
You can also use LINQ to SQL, which internally uses ADO.NET but presents the data access to the developer is a more fluent way. Or take it another step and use Entity Framework. Etc.
Essentially the question itself is very broad. There are a number of ways you can access a database. But these are the places to get started. If/When you run into specific issues with code not working the way you expect, we'll be happy to help.
It's difficult to tell what is being asked here. This question is ambiguous, vague, incomplete, overly broad, or rhetorical and cannot be reasonably answered in its current form. For help clarifying this question so that it can be reopened, visit the help center.
Closed 9 years ago.
What is the Difference between SQL and SQL*Plus?
SQL* Plus is a command line tool proprietary to Oracle. You can send SQL queries to the server using the tool. It can also help you format the result of a query.
You should get a good head start on SQL*Plus here http://www.comp.nus.edu.sg/~ooibc/courses/sql/sqlplus.htm
SQL is the query language that is used to communicate with Oracle server to access and modify the data.
cheers
SQL is a language, SQL*Plus is a tool.
SQL*Plus is an Oracle product that you use to run SQL and PL/SQL statements.
SQLPlus, the primary interface to the Oracle Database server, provides a powerful yet easy-to-use environment for querying, defining, and controlling data. SQLPlus delivers a full implementation of Oracle SQL and PL/SQL, along with a rich set of extensions. The exceptional scalability of the Oracle Database, coupled with the object-relational technology of SQL*Plus, allows you to develop your complex datatypes and objects using Oracle's integrated systems solution.
From Oracle.com (http://www.oracle.com/technology/tech/sql_plus/index.html)
sql*plus is a character based interactive tool,rhat runs in a GUI invironment. It is loaded on the client machine .