[sql-injection] Forum Topics

Hello, One type of SQLIA is UNION Query and I still do not completely understand what is the point. SELECT Name, Address FROM Users WHERE Id=$id by injecting the following- Id value: $id=1 UNION ALL SELECT creditCardNumber,1 FROM CreditCarTable. We will have the following query: - SELECT Name, Address FROM …

Hello, I am trying to understand prepared statement and what it does. https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet#Defense_Option_1:_Prepared_Statements_.28Parameterized_Queries.29 "Prepared statements ensure that an attacker is not able to change the intent of a query, even if SQL commands are inserted by an attacker. In the safe example below, if an attacker were to enter the …

Hello, I am trying to prevent SQL Injection on Codeigniter. I am reading this link: https://www.roytuts.com/prevent-sql-injection-in-codeigniter/ I do not understand what is the purpose of Escaping Queries, Query Binding and Active Record. Thanks in advance.

HI, I have a common page (sqlhelper.cs) where i am preparing command and executing execnonquery,... But veracode addressed sql injection flaw 89 in the following code saying issue with parameters. How can skip this verification?. any extra validations i need to put in the following code? Please help. private static …

There is a sqi vulnerability in my client website. I cant give you the links but can you guys suggest how to avoid it.

Hi everybody, I found an error-based sql injection in my webserver.My database doesn't contain any private info. I want to know if its possible to own my server just by using the info in information_shema. Please tell me because i want to know if i have to fix it.I don't …

Hi, I have DAL class and I have done Query Parametrization to avoid SQL injection. As you can see the weakpoing for Dynamic Query is table_name and column name. I have made small function to (hopefully) validate table variable before I can add to SQL command string. Now I was …

Hi, I'm becoming more paranoid of security issues (Not Insane anyway :)) and would like to ask you guys what do you do to prevent SQL injection apart from using parametrized query and data validation. Thanks

[B]is Codeigniter able to protect Your Site From sql injection When You Use Active Record??[/B]

Hye I have a question: Suppose I use JDBC, JDBCTemplate in order to execute a sql query. The query is something like: query = "SELECT ... FROM ... WHERE user = ? AND password = ? AND x='valuex' AND y='valuey' ..." Where user,password - I got from the web user …

Yesterday [URL="http://www.daniweb.com/blogs/entry3943.html"]I reported[/URL] how the security vendor Kaspersky had allegedly fallen victim to a SQL Injection attack, with the usa.kaspersky.com website hacked and plenty of data potentially exposed. I said that Kaspersky would no doubt make an official statement sooner rather than later, and it has. Unfortunately it is one …

File under FAIL: social network widget maker RockYou has fallen victim to a SQL injection flaw and as a result some 32.6 million users are being urged to change their passwords as a matter of urgency. Security specialists Imperva discovered the problem at social networking development site Rockyou.com and issued …

According to a new report, published today by SANS, the overwhelming majority of all cyber-security risks can be laid at the door of just two areas: unpatched client-side software and vulnerable Internet facing web sites. The report was compiled by Rohit Dhamankar, Mike Dausin, Marc Eisenbarth and James King of …

Today is [URL="http://www.saferinternet.org"]Safer Internet Day[/URL] 2009, apparently. Every year since 2004, one day in February has been designated as Safer Internet Day in order to promote a safer and more responsible use of online technology and mobile phones. It is aimed primarily at children and young people across the world. …