SQL Injection, replace single quote with two single quotes?
Is replacing a single quote with two single quotes adequate
for eliminating
SQL injection attacks? This article (
http://www.devguru.com/features/kb/kb100206.asp
) offers that advice, and it
enabled me to allow users to search name fields in the
database that contain
single quotes.
I was advised to use "Paramaterized SQL" in an earlier post,
but I can't
understand the concept behind that method, and whether it
applies to
queries, writes, or both.
Then you can use both stored procedures and prepared
statements.
Both provide better protection than simply replacing
apostrophes.
Prepared statements are simple:
Set myCommand = Server.CreateObject("ADODB.Command")
...snip...
myCommand.CommandText = "INSERT INTO Users([Name], [Email])
VALUES (?, ?)"
...snip...
myCommand.Parameters.Append
myCommand.CreateParameter("@Name",200,1,50,Name)
myCommand.Parameters.Append
myCommand.CreateParameter("@Email",200,1,50,Email)
myCommand.Execute ,,128 'the ,,128 sets execution flags that
tell ADO not to
look for rows to be returned. This saves the expense of
creating a
recordset object you don't need.
Stored procedures are executed in a similar manner. DW can
help you with a
stored procedure through the "Command (Stored Procedure)"
server behavior.
You can see a full example of a prepared statement by looking
at DW's
recordset code after you've created a recordset using version
8.02.
"Mike Z" <[email protected]> wrote in message
news:eo5idq$3qr$[email protected]..
>I should have repeated this, I am using VBScript in ASP,
with an Access DB.
>
Similar Messages
-
How to replace one char with two chars in email address policy?
I very much like to replace the 'ß' char in the surname with 'sz'. However, applying filter '%rßsz%[email protected]' on 'Preußig' leaves me with '[email protected]'.
So, how do I replace one char with two chars in email address policy?As far as I know, your only solution is to manually create such addresses instead of using e-mail address policy.
Ed Crowley MVP "There are seldom good technological solutions to behavioral problems." -
What is SQL Injection?
SQL Injection is a way to attack the data in a database through a firewall protecting it. It is a method by which the parameters of a Web-based application are modified in order to change the SQL statements that are passed to a database to return data. For example, by adding a single quote (‘) to the parameters, it is possible to cause a second query to be executed with the first.
An attack against a database using SQL Injection could be motivated by two primary objectives:
1. To steal data from a database from which the data should not normally be available, or to obtain system configuration data that would allow an attack profile to be built. One example of the latter would be obtaining all of the database password hashes so that passwords can be brute-forced.
2. To gain access to an organisation’s host computers via the machine hosting the database. This can be done using package procedures and 3GL language extensions that allow O/S access.
There are many ways to use this technique on an Oracle system. This depends upon the language used or the API. The following are some languages, APIs and tools that can access an Oracle database and be part of a Web-based application.
* JSP
* ASP
* XML, XSL and XSQL
* Javascript
* VB, MFC, and other ODBC-based tools and APIs
* Portal, the older WebDB, and other Oracle Web-based applications and API’s
* Reports, discoverer, Oracle Applications
* 3- and 4GL-based languages such as C, OCI, Pro*C, and COBOL
* Perl and CGI scripts that access Oracle databases
* many more.
Any of the above applications, tools, and products could be used as a base from which to SQL inject an Oracle database. A few simple preconditions need to be in place first though. First and foremost amongst these is that dynamic SQL must be used in the application, tool, or product, otherwise SQL Injection is not possible.
The final important point not usually mentioned in discussions about SQL injection against any database including Oracle is that SQL injection is not just a Web-based problem. As is implied in the preceding paragraph, any application that allows a user to enter data that may eventually end up being executed as a piece of dynamic SQL can potentially be SQL injected. Of course, Web-based applications present the greatest risk, as anyone with a browser and an Internet connection can potentially access data they should not.
While second article of this series will include a much more in-depth discussion of how to protect against SQL injection attacks, there are a couple of brief notes that should be mentioned in this introductory section. Data held in Oracle databases should be protected from employees and others who have network access to applications that maintain that data. Those employees could be malicious or may simply want to read data they are not authorized to read. Readers should keep in mind that most threats to data held within databases come from authorized users.
Protecting against SQL Injection on Oracle-based systems is simple in principle and includes two basic stages. These are:
1. Audit the application code and change or remove the problems that allow injection to take place. (These problems will be discussed at greater length in the second part of this series.)
2. Enforce the principle of least privilege at the database level so that even if someone is able to SQL inject an application to steal data, they cannot see anymore data than the designer intended through any normal application interface.
The “Protection” section, which will be included in the second part of this series, will discuss details of how to apply some of these ideas specifically to Oracle-based applications.
[http://www.securityfocus.com/infocus/1644]
how oracle prevent sql injections?mango_boy wrote:
damorgan wrote:
And they do so using bind variables
http://www.morganslibrary.org/reference/bindvars.html
and DBMS_ASSERT
http://www.morganslibrary.org/reference/dbms_assert.html
do you have any suggestion for mysql users??Yes. Install Oracle. -
How to replace double quotes with a single quote in a string ?
Hi All:
Can some one tell me how to replace double Quote (") in a string with a single quote (') ? I tried to use REPLACE function, but I couldn;t get it worked.
My example is SELECT REPLACE('STN. "A"', '"', ''') FROM Dual --This one throws an error
Thanks,
Dima.Whether it is maybe not the more comfortable way, I like the quoting capabitlity from 10g :
SQL> SELECT REPLACE('STN. "A"', '"', q'(')') FROM Dual;
REPLACE(
STN. 'A'{code}
Nicoals. -
Firefox is replacing double quotes with single quotes.
In WordPress and at other sites where I input and save text, Firefox is replacing double quotes with single quotes when I save. It's also showing double quotes as single quotes on websites. I tried uninstalling and reinstalling, and it's still happening.
Do you have the needed font installed?
*http://en.wikipedia.org/wiki/Punctuation -
Replace Single Quote with double quote
Hi All,
I have a String s="help'me'to'replace";
i want to replace single quote( ' ) in to double quote ( " )
The final out put should be like this help"me"to"replace
( Actually this string i have to pass in to an XML )
Please help any ones.replaceAll("'","\"");{code}
or just one of the String#replace() methods.
Edited by: sabre150 on Mar 17, 2009 11:48 AM -
TWO DATASETS WITH TWO REPORTS IN SINGLE RTF
Hi All,
i want to use two datasets in BIP followed by single RTF having two different reports(DS1-Table1,DS2-Table2) we are using SQL queries for the dataset please give some suggestions how to connect two diiferent datasets with two different tables in a single RTF
note:
output of dataset 1 should come in table 1
output of dataset 2 should come in table 2 and both this tables are in single rtf
we have used Concatenate operator in BIP but its doing Union and thrwing the output in single table not in two different tables please help
regards
bhaskarTable 1
0-1 year Over 1year Total
LC 0.00
Guarantees 0.00
Others (specify) 0.00
Total 0.00 0.00 0.00
=======================================================================================
Table 2
0-1 year Over 1year Total
Unutilized Lines of Credit 0.00
Unutilized Overdraft Facilities 0.00
Others (specify) 0.00
Total 0.00 0.00 0.00
We are using two different SQl queries for the table 1 and table 2 this two tables should appear in Single RTF
i.e sql 1 should come only in table 1
and sql2 should come only in table 2
i have used Concatenate operation in BIP with multiple datasets its repeating in single table1 and i am unable to split them into two tables please help on this -
Is it possible to use a single iPhone with two contact numbers via dual sim or an app?
Is it possible to use a single iPhone with two contact numbers via dual sim or an app?
This would be a useful feature for personal and company numbers but using one mobile, rather than carrying two devices or diverting calls.Then go ahead and try it. You'll find it's probably a load of crap.
You want 2 numbers, then use Google Voice or TalkaTone
Those are US based only Apps or numbers so no good. I won't be wasting money by just trying something either, especially because using a dual sim would mean purchasing another sim card on either pay as you go or monthly contact. -
Start SQL Server in single user mode with parameter -m doesn't work well
C:\Windows\system32>net start mssqlserver /m "Microsoft SQL Server Management St
udio - Query"
The SQL Server (MSSQLSERVER) service is starting.
The SQL Server (MSSQLSERVER) service was started successfully.
C:\Windows\system32>sqlcmd -S . -e
1> go
1> select @@servername;
2> go
select @@servername;
myserver
(1 rows affected)
1>
As you can see, I'm still able to connect with sqlcmd prompt to SQL Server. According production doc of SQL Server 2014, it should not be conncting by sqlcmd. it shall only be connected by SSMS.
below the original doc on msdn:
Start SQL Server in Single-User Mode
Provide Feedback
Under certain circumstances, you may have to start an instance of SQL Server
in single-user mode by using the startup option -m. For
example, you may want to change server configuration options or recover a
damaged master database or other system database. Both actions require starting
an instance of SQL Server in single-user mode.
Starting SQL Server in single-user mode enables any member of the computer's
local Administrators group to connect to the instance of SQL Server as a member
of the sysadmin fixed server role. For more information, see Connect to
SQL Server When System Administrators Are Locked
Out.
When you start an instance of SQL Server in single-user mode, note the
following:
Only one user can connect to the server.
The CHECKPOINT process is not executed. By default, it is executed
automatically at startup.
Note
Stop the SQL Server Agent service before connecting to an instance of SQL
Server in single-user mode; otherwise, the SQL Server Agent service uses the
connection, thereby blocking it.
When you start an instance of SQL Server in single-user mode, SQL Server
Management Studio can connect to SQL Server. Object Explorer in Management
Studio might fail because it requires more than one connection for some
operations. To manage SQL Server in single-user mode, execute Transact-SQL
statements by connecting only through the Query Editor in Management Studio, or
use the
sqlcmd utility.
When you use the -m option with sqlcmd or
Management Studio, you can limit the connections to a specified client
application. For example, -m"sqlcmd" limits connections to a
single connection and that connection must identify itself as the
sqlcmd client program. Use this option when you are starting
SQL Server in single-user mode and an unknown client application is taking the
only available connection. To connect through the Query Editor in Management
Studio, use -m"Microsoft SQL Server Management Studio - Query".
ShawnHi Shawn Xiao,
For starting SQL Server instance in single user mode, we can add –m; parameter in SQL Server Configuration Manager, also we can run CMD with ‘Run as administrator’ and input the following statement.
NET START MSSQLSERVER /m
I do a test in SQL Server 2014 Express version, after starting SQL with Single User Mode, SQL Server will only accept one connection. If you connect to SQL Server with a user account, the following error will occur.
Login failed for user ‘domain\username’. Reason: Server is in single user mode. Only one administrator can connect at this time.
However, in your situation, you can connect to SQL Server and run T-SQL statement successfully, it can be due to connection with the administrator account in your sqlcmd.
For more information, you can review the following article.
http://zarez.net/?p=117
Regards,
Sofiya Li
Sofiya Li
TechNet Community Support -
How to replace one double quotes with two double quotes in XSLT
How can I replace one double quote to a two double quote in a string in XSLT
I am passing the parameter string to XSLT template contains the value as
<xsl:variable name="Description">Hi! "How are you</xsl:variable>
<xsl:variable name="VQuotes">""</xsl:variable>
I nead the output as
Hi! ""How are you.
Tried with Translate function, but it did not work out
<xsl:element name="DESCRIPTION_SHORT">
<xsl:value-of select="translate($Description,'"', VQuotes)" />
</xsl:element>But it is giving the same result as Hi! "How are you
When I tried with
<xsl:element name="DESCRIPTION_SHORT">
<xsl:value-of select="translate($Description,'"', 'BB')" />
</xsl:element>
It gave the result as
Hi! BHow are you.
It is replacing only one character with one. how to make it for two characters.
Am I doing anything wrong in syntax?
Please help.
Regards, Vignesh SHi Vignesh,
Try this.
Its a two step process:
Step1: Add the following template would be "called" to do the replacement as your want:
<xsl:template name="string-replace-all">
<xsl:param name="text" />
<xsl:param name="replace" />
<xsl:param name="by" />
<xsl:choose>
<xsl:when test="contains($text, $replace)">
<xsl:value-of select="substring-before($text,$replace)" />
<xsl:value-of select="$by" />
<xsl:call-template name="string-replace-all">
<xsl:with-param name="text"
select="substring-after($text,$replace)" />
<xsl:with-param name="replace" select="$replace" />
<xsl:with-param name="by" select="$by" />
</xsl:call-template>
</xsl:when>
<xsl:otherwise>
<xsl:value-of select="$text" />
</xsl:otherwise>
</xsl:choose>
</xsl:template>
Step2: Call the above templeate in the place where you want to call, like this:
<!--Define the variables-->
<xsl:variable name="Description">Hi! "How are you</xsl:variable>
<xsl:variable name="sQuotes">"</xsl:variable>
<xsl:variable name="VQuotes">""</xsl:variable>
<!--Following call the template which you have defined in step1-->
<xsl:element name="DESCRIPTION_SHORT">
<xsl:variable name="myVar">
<xsl:call-template name="string-replace-all">
<xsl:with-param name="text" select="$Description" />
<xsl:with-param name="replace" select="$sQuotes" />
<xsl:with-param name="by" select="$VQuotes" />
</xsl:call-template>
</xsl:variable>
<xsl:value-of select="$myVar" />
</xsl:element>
I have tested this and works. And outputs as the following with two-double quote as you want.
<DESCRIPTION_SHORT>Hi!
""How are you</DESCRIPTION_SHORT>
If this answers your question please mark it accordingly. If this post is helpful, please vote as helpful by clicking the upward arrow mark next to my reply. -
Files are downloaded and only then encoded, so I end up with two files in the drive.
That has been like that since Firefox 3.0 was released in June 2008 - 7 major version releases thus far with it like that and the developers haven't changed it - so I wouldn't count on it.
When I want to save a duplicate bookmark, I just "grab" the website image in the Location Bar and drag it into the Bookmarks Sidebar, into the folder where I want it placed. On Windows and Linux, { Ctrl + B } opens the sidebar and then just drag. -
One job with two steps - how to create one single spool?
Hello experts,
I have created two queries in SQVI. One is based on the table BSIK, the other on on BSAK.
The report layout is the same in both queries.
Now I schedule one job in SM36/SM37 with two steps corresponding to my queries.
I want my second step to append the spool created in the first step. Is that possible?
In order to do this I unchecked "New spool request" in the request attributes for the second step of the job.
I use the same printer, the same format (X_65_80), but it doesnt work.
The help on the field says
".... name, output device, number of prints and the format must match..." - What "name" do they mean?
"In addition, the existent spool order must not already be competed. This can occur if a spool is released for output...." - I use "send to SAP spooler only" option, is that what thay mean? How cen you have an "uncompleted spool" in the job.
If anybody knows ho to do this (without development!), please advise
Best regards,
FatimaHi,
Please do following steps :
1. Go to transaction code SM36
2. Do as per below screen shots
You can see Job steps is empty
Click on (Check and Save)
Next Screen
You can see one step created
Click on Create
You can see above it is showing as Step 2
Give again program name and variant
Click on (Check and Save)
You can see two steps are created
Go back (green arrow)
You can see know SAP is showing 2 Step(s) successfully defined which was earlier blank
Click on
Next Screen
Now schedule job as per your requirement.
Prerequisite create variants for both the programs as we need to mention the same .
Hope, this solves your issue else revert.
Regards,
Tejas -
SQL Injection with CF7 and MS SQL 2005
I looked through a bunch of SQL injection posts and couldn't
find a definitive answer to this...
Let me introduce this by saying that I know I should be using
CFQUERYPARAM with EVERY CF variable in a CFQUERY tag. No excuses.
But for a necessary quick fix, if I only use it for numeric
DB fields, is SQL injection still possible (using MS SQL 2005)?
I've yet to successfully perform SQL injection while manipulating a
variable surrounded by single quotes in the query.
Scenario 1) select * from users where user_id=#form.user_id#
...is a gimme to hack, but
Scenario 2) select * from users where
password='#form.password#' ...is another story
Has anyone ever heard of a successful SQL injection attack in
a Scenario 2 situation.
I'll fix everything up eventually, but I've got a Pen Test
coming up soon, and a lot of raw code to review.
Thanksquote:
Originally posted by:
Dan Bracuk
What others can do is more relevent than what we think. When
in doubt, test.
very true, although my final solution went more like, "When
in doubt, manually add about 600 cfqueryparams in 406 cfquery
tags". -
How to convert pl/sql block into single update statement
Dear all gurus,
I have pl/sql block mention below, Can I convert this pl/sql block to single update statement if possible?
If not how to optimize this block?
Pleaese suggest.
thanks in advance.
Vijay
DECLARE
CURSOR vt_mlr_cursor IS Select master_key, user4 from vt_mlr Where USER4 is not null;
USERFIELD VARCHAR2(100);
C1 VARCHAR2(3); /* this will return location of first space = 12 */
C2 VARCHAR2(3); /* this will return location of second space = 20 */
C3 VARCHAR2(3); /* this will return location of third space = 28 */
C4 VARCHAR2(3); /* this will return location of forth space = 35 */
Field1 VARCHAR2(40); /* this will return FTMYFLXA04W */
Field2 VARCHAR2(10); /* this will return VPI0043 */
Field3 VARCHAR2(10); /* this will return VCI0184 */
Field4 VARCHAR2(10); /* this will return 005 */
Field5 VARCHAR2(10); /* this will return 00001 */
Field_2_n_3 VARCHAR2(25);
key VARCHAR2(10);
BEGIN
FOR vt_mlr_record IN vt_mlr_cursor
LOOP
key := vt_mlr_record.master_key;
USERFIELD := vt_mlr_record.user4;
C1 := INSTR(vt_mlr_record.user4,' ',1,1); /* this will return location of first space = 12 */
C2 := INSTR(vt_mlr_record.user4,' ',1,2); /* this will return location of second space = 20 */
C3 := INSTR(vt_mlr_record.user4,' ',1,3); /* this will return location of third space = 28 */
C4 := INSTR(vt_mlr_record.user4,' ',1,4); /* this will return location of forth space = 35 */
Field1 := SUBSTR(vt_mlr_record.user4,1,C1-1); /* this will return FTMYFLXA04W */
Field2 := SUBSTR(vt_mlr_record.user4,C1+4,C2-C1-4); /* this will return VPI0043 */
Field3 := SUBSTR(vt_mlr_record.user4,C2+4,C3-C2-4); /* this will return VCI0184 */
Field4 := SUBSTR(vt_mlr_record.user4,C3+4,C4-C3-4); /* this will return 005 */
Field5 := SUBSTR(vt_mlr_record.user4,C4+4,LENGTH(vt_mlr_record.user4)-C4-3); /* this will return 00001 */
Field_2_n_3 := Field2 || '/' || Field3;
/*DBMS_OUTPUT.PUT_LINE ('Current key is: ' || vt_mlr_record.master_key);*/
UPDATE vt_mlr
SET
aggregator_clli = Field1,
aggregator_vpi_vci = Field_2_n_3,
aggregator_slot = Field4,
aggregator_port = Field5
WHERE
master_key = vt_mlr_record.master_key;
END LOOP;
END;
/Hi Vijay,
Here's something to start with, you should be able to complete it.
First, combine your select and update statements:
update vt_mlr
set aggregator_clli = field1
,aggregator_vpi_vci = field_2_n_3
,aggregator_slot = field4
,aggregator_port = field5
where user4 is not null;Then put these two
C1 := INSTR(vt_mlr_record.user4,' ',1,1);
Field1 := SUBSTR(vt_mlr_record.user4,1,C1-1);into
Field1 := SUBSTR(vt_mlr_record.user4,1,INSTR(vt_mlr_record.user4,' ',1,1) -1);And put it into the update statement, removing reference to record
(I have also removed default values for position and occurrence in instr function):
update vt_mlr
set aggregator_clli = substr(user4, 1, instr(user4,' ') - 1)
,aggregator_vpi_vci = field_2_n_3
,aggregator_slot = field4
,aggregator_port = field5
where user4 is not null; I think you can do the rest from here ;-)
Regards
Peter -
How to replace single backslash(\) to double backslash(\\)
Hi
I want to replace single backslash to double backslash from the string.
Code is here
String data="File name :\n.txt;File name:\t.txt";
data = data.replace("\\","\\\\");
System.out.println("-->" +data);
i tried to this code but its not working. Help me if anyone is know.
Please reply me asap.
ThanksDVekaria wrote:
Are you not getting my question.Obviously not. That's why we've asked you to clarify it. Twice, at least.
whatever data contenting in Variable, it must print as its on the screen.This code does that.
String s = "a\nb\tc;"
System.out.println(s);The variable s contains a reference to a String object. That String object holds 5 characters: 'a', newline, 'b', tab, 'c'. The println prints out exactly what's in that String--those 5 characters. Note that there is not even one single backslash in that String.
a
b cThis is exactly what you asked for.
Now let's say I create a file in Notepad, and I type the following, and then save it:
a\nb\tcThat file contains 7 characters. 'a', '\', 'n', 'b', '\', 't', 'c'. If I read that file with Buffered reader, it will give me a String object with those same 7 charcters. If I print it out it will print out those 7 characters.
a\nb\tcNote that in both cases, I am printing out exactly what is in the String.
Think carefully on what is the same and what is different between those two cases, and use it to form a clearer definition of your problem. Remember, we want to know what you're trying to accomplish. Just saying "I want to replace backslashes" tells us how you're trying to solve your problem.
Maybe you are looking for
-
PowerBook G4 With New Hard Drive - Can't boot from 10.2 OS Install Disk
My sister's hard drive died so I bought and installed a new Seagate 160GB drive. She has OS 10.2 OS disks but is not sure if they were for this computer. The fact that the computer is copyright 2004, and the disks 2002 makes me wonder. When I try to
-
Help with creating a lens profile
I am looking to create a lens profile but have a question about the instructions. Do I use the same size chart for all the focus distance shots? It is a wide angle lens with quite a close focusing distance. If I shot with the same chart at 1x, 2x and
-
I want to display pictures of stock items in the details section of my report. I'm getting these pictures to display but I'm having a problem with the picture sizes. If I have 'can grow' selected they display in the correct proportions but in differe
-
Artwork imported manually (or automatically) fails to add to the mp3 track. I have no problem with this on another platform, and the artwork shows up in Window Media ok (wav tracks) on the problematic platform. Track info adds ok (except for art) whe
-
It would seem I need a "Thread URL" so I can send a message to the people who will be reading the "Details of your query", so here is my post.