Questions tagged [sql-injection]

SQL injection is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker).

SQL injection exploits a type of computer security vulnerability found in applications with SQL databases. It enables attackers to apply malicious SQL commands to the database via user input. It can for example extract, alter or delete sensitive data.

The vulnerability is present when user input is used directly in the SQL commands, instead of as parameters or properly filtered (also known as "sanitized", e.g. by quoting escape characters). It happens primarily because of poorly written SQL handling functions in client applications.

See famous example - Bobby Tables incident and the community wiki question's answer How can I prevent SQL injection in PHP?

Useful Links

3768 questions
27 answers

How can I prevent SQL injection in PHP?

If user input is inserted without modification into an SQL query, then the application becomes vulnerable to SQL injection, like in the following example: $unsafe_variable = $_POST['user_input']; mysql_query("INSERT INTO `table` (`column`) VALUES…
Andrew G. Johnson
  • 26,603
  • 30
  • 91
  • 135
16 answers

How can I sanitize user input with PHP?

Is there a catchall function somewhere that works well for sanitizing user input for SQL injection and XSS attacks, while still allowing certain types of HTML tags?
  • 23,354
  • 10
  • 44
  • 49
13 answers

How does the SQL injection from the "Bobby Tables" XKCD comic work?

Just looking at: (Source: What does this SQL do: Robert'); DROP TABLE STUDENTS; -- I know both ' and -- are for comments, but doesn't the word DROP get commented as well since it is part of the same line?
  • 259,732
  • 324
  • 769
  • 1,199
4 answers

SQL injection that gets around mysql_real_escape_string()

Is there an SQL injection possibility even when using mysql_real_escape_string() function? Consider this sample situation. SQL is constructed in PHP like this: $login = mysql_real_escape_string(GetFromPost('login')); $password =…
Richard Knop
  • 81,041
  • 149
  • 392
  • 552
7 answers

Are PDO prepared statements sufficient to prevent SQL injection?

Let's say I have code like this: $dbh = new PDO("blahblah"); $stmt = $dbh->prepare('SELECT * FROM users where username = :username'); $stmt->execute( array(':username' => $_REQUEST['username']) ); The PDO documentation says: The parameters to…
Mark Biek
  • 146,731
  • 54
  • 156
  • 201
10 answers

How can prepared statements protect from SQL injection attacks?

How do prepared statements help us prevent SQL injection attacks? Wikipedia says: Prepared statements are resilient against SQL injection, because parameter values, which are transmitted later using a different protocol, need not be correctly…
  • 12,247
  • 36
  • 89
  • 150
15 answers

Java - escape string to prevent SQL injection

I'm trying to put some anti sql injection in place in java and am finding it very difficult to work with the the "replaceAll" string function. Ultimately I need a function that will convert any existing \ to \\, any " to \", any ' to \', and any \n…
Scott Bonner
  • 2,890
  • 5
  • 27
  • 28
10 answers

How does a PreparedStatement avoid or prevent SQL injection?

I know that PreparedStatements avoid/prevent SQL Injection. How does it do that? Will the final form query that is constructed using PreparedStatements be a string or otherwise?
Prabhu R
  • 13,836
  • 21
  • 78
  • 112
19 answers

Can I protect against SQL injection by escaping single-quote and surrounding user input with single-quotes?

I realize that parameterized SQL queries is the optimal way to sanitize user input when building queries that contain user input, but I'm wondering what is wrong with taking user input and escaping any single quotes and surrounding the whole string…
  • 5,970
  • 4
  • 24
  • 21
7 answers

Why do we always prefer using parameters in SQL statements?

I am very new to working with databases. Now I can write SELECT, UPDATE, DELETE, and INSERT commands. But I have seen many forums where we prefer to write: SELECT empSalary from employee where salary = @salary ...instead of: SELECT empSalary from…
  • 11,332
  • 27
  • 76
  • 122
6 answers

Do htmlspecialchars and mysql_real_escape_string keep my PHP code safe from injection?

Earlier today a question was asked regarding input validation strategies in web apps. The top answer, at time of writing, suggests in PHP just using htmlspecialchars and mysql_real_escape_string. My question is: Is this always enough? Is there more…
  • 35,194
  • 20
  • 73
  • 86
11 answers

Is it safe to not parameterize an SQL query when the parameter is not a string?

In terms of SQL injection, I completely understand the necessity to parameterize a string parameter; that's one of the oldest tricks in the book. But when can it be justified to not parameterize an SqlCommand? Are any data types considered "safe" to…
  • 7,310
  • 17
  • 40
  • 61
21 answers

Avoiding SQL injection without parameters

We are having another discussion here at work about using parametrized sql queries in our code. We have two sides in the discussion: Me and some others that say we should always use parameters to safeguard against sql injections and the other guys…
Rune Grimstad
  • 35,612
  • 10
  • 61
  • 76
5 answers

Preventing SQL injection in Node.js

Is it possible to prevent SQL injections in Node.js (preferably with a module) in the same way that PHP had Prepared Statements that protected against them. If so, how? If not, what are some examples that might bypass the code I've provided (see…
  • 9,167
  • 9
  • 36
  • 59
9 answers

What is SQL injection?

Can someone explain SQL injection? How does it cause vulnerabilities? Where exactly is the point where SQL is injected?
2 3
99 100