Questions tagged [sql-injection]

SQL injection is a malicious technique employed to target data-driven applications by inserting harmful SQL statements into entry fields in order to launch attacks on the database, such as extracting its contents for the benefit of the attacker.

Cleaning up database queries in MySQL without the use of prepared statements (PHP + outdated MySQL module)

Hello there! I recently came across an interesting issue regarding SQL injection in a PHP script that I downloaded called phpsimplechat. The author of the script created their own SQL layer which unfortunately turned out to be vulnerable to SQL Injection a ...

phpmysqlsql-injection

Escaping single quotes within parameters of PDO prepared statements

It seems that using PDO Prepared Statements protects against SQL injection and ' escapes. I recently tested the following code... if ($_SERVER["REQUEST_METHOD"] == "POST" && isset($_POST["id"])) { $id = $_POST["id"]; //$id = "2&ap ...

phpmysqlpdoprepared-statementsql-injection

What steps should be taken to mitigate the impact of a SQL-Injection attack?

As I embark on learning database designing and PHP, my main concern is SQL injection. In the event that it does happen, I am curious if there is a way to reverse it automatically, reset affected accounts, close hacked databases, or even find a way to aut ...

phpsqlsql-injection

What is the best way to send an array as a parameter to a Vertica query in a node.js environment?

Currently, I am working on executing SQL queries against a Vertica database. This process has been successful so far. However, in order to prevent SQL injection, I have decided to use parameterized queries. It seems that Vertica supports parameters as ? (u ...

node.jspostgresqlsql-injectionverticanode-postgres

What is the best way to write an SQL query to safely insert a record into a table with a dynamic name?

I'm working on a function that can insert a record into a table in PostgreSQL. The catch is that the table name needs to be a parameter for the function, and the column names are determined dynamically. To ensure protection against SQL Injection, I am cons ...

javascriptsqlnode.jspostgresqlsql-injection

Is mysql(i)_real_escape_string a reliable method for ensuring data safety?

function CustomQuery() { $arguments = func_get_args (); if (sizeof ($arguments) > 0) { $query_string = $arguments[0]; for ($index = 1; $index < sizeof ($arguments); $index++) $query_string = preg_replac ...

phpmysqlmysqlisql-injection

Ways to eliminate HTML tags from the output while preserving the formatting

I recently encountered an issue working with a MySQL database. To prevent SQL injections, I utilized: $entities_correction = htmlspecialchars($Query, ENT_COMPAT, 'UTF-8'); However, when attempting to display the data to the user, it appeared as ...

phphtmlmysqlsql-injection

Can mysqli_real_escape_string prevent SQL injection attacks?

Is it possible to exploit the following code in order to log in as a specific username, such as Sam? The mysqli_real_escape_string() function is used to escape certain characters including NUL (ASCII 0), , , , ', ", and Control-Z. I attempted with us ...

phpmysqlisql-injection

SQL Injection - what more could you ask for?

Recently, I discovered an interesting Firefox addon called 'SQL Inject Me'. To satisfy my curiosity, I decided to test it on a simple phonebook intranet site that has an admin account. The test results showed 51 #302 errors, but despite trying them out, I ...

phpsqlpdosql-injection