SQL Injection - Revision history

Jakeh: /* ColdFusion - Prevent SQL Injection with cfqueryparam */

2014-11-18T23:25:31Z

‎ColdFusion - Prevent SQL Injection with cfqueryparam

Briana: /* Tips on Preventing SQL Injection Attacks */

2013-03-07T19:04:15Z

‎Tips on Preventing SQL Injection Attacks

Jakeh: /* Tips on Preventing SQL Injection Attacks */

2013-02-10T00:49:07Z

‎Tips on Preventing SQL Injection Attacks

Carlb at 04:03, 22 November 2012

2012-11-22T04:03:47Z

Carlb: Created page with "==Tips on Preventing SQL Injection Attacks== To sanitize form input for sending to a database, always be sure to escape the single quote by searching and replacing it with tw..."

2012-11-22T04:03:18Z

Created page with "==Tips on Preventing SQL Injection Attacks== To sanitize form input for sending to a database, always be sure to escape the single quote by searching and replacing it with tw..."

New page

==Tips on Preventing SQL Injection Attacks==

To sanitize form input for sending to a database, always be sure to escape the single quote by searching and replacing it with two single quotes. This will cause the database to send the quote string as a literal character rather than interpreting it as the closing of a string. Be aware, however, that since numeric input does not require quotes, this technique will not be effective. In the case of numeric input, simply check that the form input is indeed numeric.

One method of preventing SQL injection is to avoid the use of dynamically generated SQL in your code. By using parameterized queries and stored procedures, you then make it impossible for SQL injection to occur against your application.

<ul><li>Escape single quotation marks. Include code within your Web applications that replaces single apostrophes with double apostrophes. This will force the database server to recognize the apostrophe as a literal character rather than a string delimiter.</li><li>Filter user input. Filtering user input before it is passed into a SQL query will prevent the possibility of executing SQL commands. (ex. Strip input strings of all characters that are not alphanumeric (a-z, A-Z or 0-9))</li><li>Limit the privileges available to the account that executes Web application code. For example, if an account only had permission to perform the intended action (retrieving records from a table), then delete, insert or create queries would not be possible.</li><li>Reduce or eliminate debugging information. When an error condition occurs on your server, the Web user should not see technical details of the error. This type of information could aid an intruder seeking to explore the structure of your database.</li></ul>

**Note to PHP users connecting to MySQL databases

There are at least two ways to make MySQL queries safe using PHP. The first, and often simplest, method is to use mysql_real_escape_string on each variable used in a MySQL query. Please see the <a href="http://php.net/mysql_real_escape_string">PHP documentation</a> for more information.

The second method is to use prepared statements. You can do this using the MySQL Improved Extension in PHP 5. For more information, please refer to the <a href="http://php.net/manual/en/book.mysqli.php">PHP documentation</a> for more information.

@@ Line 34: / Line 34: @@
 </pre>
-NOTE:  It is important to match the [http://help.adobe.com/en_US/ColdFusion/9.0/CFMLRef/WSc3ff6d0ea77859461172e0811cbec22c24-7f6f.html cfsqltype] value with the proper data type for that field.
+NOTE:  It is important to match the [https://wikidocs.adobe.com/wiki/display/coldfusionen/cfqueryparam cfsqltype] value with the proper data type for that field.
 ==Cleaning your MS SQL Database after a SQL Injection Attack==

← Older revision		Revision as of 19:04, 7 March 2013
Line 13:		Line 13:

	The second method is to use prepared statements. You can do this using the MySQL Improved Extension in PHP 5. For more information, please refer to the <a href="http://php.net/manual/en/book.mysqli.php">PHP documentation</a> for more information.		The second method is to use prepared statements. You can do this using the MySQL Improved Extension in PHP 5. For more information, please refer to the <a href="http://php.net/manual/en/book.mysqli.php">PHP documentation</a> for more information.
		+
		+
		+	===ColdFusion - Prevent SQL Injection with cfqueryparam===
		+	By using cfqueryparam you can prevent SQL injection into your database via un-sanitized input.
		+
		+	Here is some sample code that is not safe:
		+	<pre>
		+	<cfquery name="myQueryName" DATASOURCE="#Application.MyDSN#">
		+	INSERT INTO myTable(customer_fname) VALUES ('#form.customer_fname#')
		+	</cfquery>
		+	</pre>
		+
		+	The example above clearly just takes input from a form and inserts it into the database. That is VERY dangerous.
		+
		+	Instead, here is a the proper way to do this, by sanitizing the form input with cfqueryparam:
		+	<pre>
		+	<cfquery name="myQueryName" DATASOURCE="#Application.MyDSN#">
		+	INSERT INTO myTable(customer_fname) VALUES (<cfqueryparam value='#form.customer_fname#' cfsqltype="cf_sql_varchar">)
		+	</cfquery>
		+	</pre>
		+
		+	NOTE: It is important to match the [http://help.adobe.com/en_US/ColdFusion/9.0/CFMLRef/WSc3ff6d0ea77859461172e0811cbec22c24-7f6f.html cfsqltype] value with the proper data type for that field.

	==Cleaning your MS SQL Database after a SQL Injection Attack==		==Cleaning your MS SQL Database after a SQL Injection Attack==

@@ Line 1: / Line 1: @@
 ==Tips on Preventing SQL Injection Attacks==
@@ Line 13: / Line 14: @@
 The second method is to use prepared statements. You can do this using the MySQL Improved Extension in PHP 5. For more information, please refer to the <a href="http://php.net/manual/en/book.mysqli.php">PHP documentation</a> for more information.
 [[category:Databases-MySQL]]

@@ Line 7: / Line 7: @@
 <ul><li><b>Escape single quotation marks</b>. Include code within your Web applications that replaces single apostrophes with double apostrophes. This will force the database server to recognize the apostrophe as a literal character rather than a string delimiter.</li><li><b>Filter user input. </b>Filtering user input before it is passed into a SQL query will prevent the possibility of executing SQL commands. (ex. Strip input strings of all characters that are not alphanumeric (a-z, A-Z or 0-9))</li><li><b>Limit the privileges available to the account that executes Web application code</b>. For example, if an account only had permission to perform the intended action (retrieving records from a table), then delete, insert or create queries would not be possible.</li><li><b>Reduce or eliminate debugging information</b>. When an error condition occurs on your server, the Web user should not see technical details of the error. This type of information could aid an intruder seeking to explore the structure of your database.</li></ul>
-**Note to PHP users connecting to MySQL databases
+*Note to PHP users connecting to MySQL databases
 There are at least two ways to make MySQL queries safe using PHP. The first, and often simplest, method is to use mysql_real_escape_string on each variable used in a MySQL query. Please see the <a href="http://php.net/mysql_real_escape_string">PHP documentation</a> for more information.
 The second method is to use prepared statements. You can do this using the MySQL Improved Extension in PHP 5. For more information, please refer to the <a href="http://php.net/manual/en/book.mysqli.php">PHP documentation</a> for more information.