IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [sql-injection]

SQL injection is a technique used to take advantage of vulnerabilities arising from non-validated input on web applications to pass SQL commands through for execution on a backend database.

SQL injection is an attack technique that is used to carry out attacks on databases. Web apps that do not validate input may evaluate executable statements included in the input, including SQL commands. Attackers take advantage of the fact that programmers often chain together SQL commands with user-provided parameters, or use user input to construct SQL commands, in order to embed SQL commands inside these parameters. Attackers can use this technique to execute arbitrary SQL queries and/or commands on the backend database server through the Web application.

901 questions
563
votes
20 answers

How can I explain SQL injection without technical jargon?

I need to explain SQL injection to someone without technical training or experience. Can you suggest any approaches that have worked well?
torayeff
  • 4,535
  • 4
  • 16
  • 15
310
votes
16 answers

SQL injection is 17 years old. Why is it still around?

I'm no techie and would like your expertise in understanding this. I recently read a detailed article on SQLi for a research paper. It strikes me as odd. Why do so many data breaches still happen through SQL injection? Is there no fix?
Ishan Mathur
  • 2,603
  • 2
  • 10
  • 9
241
votes
12 answers

Is single quote filtering nonsense?

Penetration testers found out that we allow single quotes in submitted data fields, and want us to apply rules (input validation) to not allow them in any value. While I'm aware that single quotes are popular for SQL injection attacks, I strongly…
Peter Walser
  • 1,781
  • 2
  • 11
  • 9
89
votes
2 answers

Are prepared statements 100% safe against SQL injection?

Are prepared statements actually 100% safe against SQL injection, assuming all user-provided parameters are passed as query bound parameters? Whenever I see people using the old mysql_ functions on StackOverflow (which is, sadly, way too frequently)…
Polynomial
  • 132,208
  • 43
  • 298
  • 379
81
votes
19 answers

Good analogy needed: Sec issues due to different coders implementing the same features in different ways for the same app

I have to give a school presentation about vulnerabilities found in the Moodle platform. Of course, they only apply to a legacy version which has since been patched. The catch is that the presentation should be aimed at an audience with no technical…
SuperSpitter
  • 833
  • 1
  • 6
  • 5
80
votes
7 answers

SQL injection -- why isn't escape quotes safe anymore?

Raw SQL When you're writing SQL -- for anything that takes human input really, a lot of things have been done to avoid the injection. Everyone that's heard of SQL injection knows that (I'm going to use PHP as a sample) doing something like this…
Incognito
  • 5,204
  • 5
  • 27
  • 31
75
votes
10 answers

Why Disallow Special Characters In a Password?

The culprit in this case is a particular (and particularly large) bank that does not allow special characters (of any sort) in their passwords: Just [a-Z 1-9]. Is their any valid reason for doing this? It seems counter productive to stunt password…
Gary
  • 851
  • 1
  • 6
  • 8
70
votes
3 answers

Is this a SQL injection attack or is it some sort of bug?

I was looking through some data in our database when I came across a bunch of weird user_id entries: user_id -1080) ORDER BY 1# -1149 UNION ALL SELECT 79,79,79,79,79,79,79,79,79# -1359' UNION ALL SELECT 79,79,79,79,79,79,79,79,79,79-- JwSh -1409'…
turnip
  • 785
  • 1
  • 6
  • 9
54
votes
4 answers

Does read-only access to the database prevent sql injection?

I have a web api that connects to my SQL Server using a read-only connection and want to allow tech savvy users of my api to enter an SQL where clause on the querystring. I basically just want to tack what they enter onto the select statement. Does…
Aaron
  • 643
  • 1
  • 5
  • 5
52
votes
3 answers

How do I test for SQL injection vulnerabilities on a site with input fields?

What methods are available for testing SQL injection vulnerabilities?
John S
  • 621
  • 1
  • 6
  • 3
51
votes
8 answers

Is there a field length that is too short to allow harmful SQL injection?

I was reading about SQL injection and saw this, which got me thinking: input fields as small as possible to reduce the likelihood of a hacker being able to squeeze SQL code into the field without it being truncated (which usually leads to a T-SQL…
James Jenkins
  • 723
  • 1
  • 5
  • 10
49
votes
1 answer

In SQL injections why do they put "-- -" at the end of the URL?

I understand when they put a + at the end, URL treats it like a space. I want to know what -- - does. I do know what the "double dash" does. Including the double dash with a "space at the end". I specifically want to know what a dash-dash-space-dash…
Linux Newbie
  • 635
  • 1
  • 5
  • 7
48
votes
2 answers

Is this an attempted SQL injection?

Looking through error logs I found lots of requests to a web-app where the URL contains: /if(now()=sysdate(),sleep(10),0)/*'XOR(if(now()=sysdate(),sleep(10),0))OR'"XOR(if(now()=sysdate(),sleep(10),0))OR"*/ I read that could be a part of an attack…
Tony
  • 481
  • 1
  • 4
  • 4
40
votes
6 answers

Is SQL injection possible with LIMIT?

A friend of mine built a web application that I'm testing for fun. I noticed that he allows a user to set the limit of a certain query, and that limit is not sanitized. For example, I can choose any number or string I like as a limit. I realize…
Ali
  • 519
  • 1
  • 4
  • 8
39
votes
7 answers

Is it possible to detect 100% of SQLi with a simple regex?

I'm wondering if it is possible to detect 100% of the possible SQLi attacks using a simple regex. In other words, using very simple PHP code as an example: if (preg_match("/select/i", $input)) { attack_log("Possible SELECT SQLi…
reed
  • 15,398
  • 6
  • 43
  • 64
1
2 3
60 61