SQL Injection, replace single quote with two single quotes?

Similar Messages

• How to replace one char with two chars in email address policy?

  I very much like to replace the 'ß' char in the surname with 'sz'. However, applying filter '%rßsz%[email protected]' on 'Preußig' leaves me with '[email protected]'.
  So, how do I replace one char with two chars in email address policy?

  As far as I know, your only solution is to manually create such addresses instead of using e-mail address policy.
  Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

• Sql injection

  What is SQL Injection?
  SQL Injection is a way to attack the data in a database through a firewall protecting it. It is a method by which the parameters of a Web-based application are modified in order to change the SQL statements that are passed to a database to return data. For example, by adding a single quote (‘) to the parameters, it is possible to cause a second query to be executed with the first.
  An attack against a database using SQL Injection could be motivated by two primary objectives:
  1. To steal data from a database from which the data should not normally be available, or to obtain system configuration data that would allow an attack profile to be built. One example of the latter would be obtaining all of the database password hashes so that passwords can be brute-forced.
  2. To gain access to an organisation’s host computers via the machine hosting the database. This can be done using package procedures and 3GL language extensions that allow O/S access.
  There are many ways to use this technique on an Oracle system. This depends upon the language used or the API. The following are some languages, APIs and tools that can access an Oracle database and be part of a Web-based application.
  * JSP
  * ASP
  * XML, XSL and XSQL
  * Javascript
  * VB, MFC, and other ODBC-based tools and APIs
  * Portal, the older WebDB, and other Oracle Web-based applications and API’s
  * Reports, discoverer, Oracle Applications
  * 3- and 4GL-based languages such as C, OCI, Pro*C, and COBOL
  * Perl and CGI scripts that access Oracle databases
  * many more.
  Any of the above applications, tools, and products could be used as a base from which to SQL inject an Oracle database. A few simple preconditions need to be in place first though. First and foremost amongst these is that dynamic SQL must be used in the application, tool, or product, otherwise SQL Injection is not possible.
  The final important point not usually mentioned in discussions about SQL injection against any database including Oracle is that SQL injection is not just a Web-based problem. As is implied in the preceding paragraph, any application that allows a user to enter data that may eventually end up being executed as a piece of dynamic SQL can potentially be SQL injected. Of course, Web-based applications present the greatest risk, as anyone with a browser and an Internet connection can potentially access data they should not.
  While second article of this series will include a much more in-depth discussion of how to protect against SQL injection attacks, there are a couple of brief notes that should be mentioned in this introductory section. Data held in Oracle databases should be protected from employees and others who have network access to applications that maintain that data. Those employees could be malicious or may simply want to read data they are not authorized to read. Readers should keep in mind that most threats to data held within databases come from authorized users.
  Protecting against SQL Injection on Oracle-based systems is simple in principle and includes two basic stages. These are:
  1. Audit the application code and change or remove the problems that allow injection to take place. (These problems will be discussed at greater length in the second part of this series.)
  2. Enforce the principle of least privilege at the database level so that even if someone is able to SQL inject an application to steal data, they cannot see anymore data than the designer intended through any normal application interface.
  The “Protection” section, which will be included in the second part of this series, will discuss details of how to apply some of these ideas specifically to Oracle-based applications.
  [http://www.securityfocus.com/infocus/1644]
  how oracle prevent sql injections?

  mango_boy wrote:
  damorgan wrote:
  And they do so using bind variables
  http://www.morganslibrary.org/reference/bindvars.html
  and DBMS_ASSERT
  http://www.morganslibrary.org/reference/dbms_assert.html
  do you have any suggestion for mysql users??Yes. Install Oracle.

• How to replace double quotes with a single quote in a string ?

  Hi All:
  Can some one tell me how to replace double Quote (") in a string with a single quote (') ? I tried to use REPLACE function, but I couldn;t get it worked.
  My example is SELECT REPLACE('STN. "A"', '"', ''') FROM Dual --This one throws an error
  Thanks,
  Dima.

  Whether it is maybe not the more comfortable way, I like the quoting capabitlity from 10g :
  SQL> SELECT REPLACE('STN. "A"', '"', q'(')') FROM Dual;
  REPLACE(
  STN. 'A'{code}
  Nicoals.                                                                                                                                                                                                                                                                                                                                                                                                                                       

• Firefox is replacing double quotes with single quotes.

  In WordPress and at other sites where I input and save text, Firefox is replacing double quotes with single quotes when I save. It's also showing double quotes as single quotes on websites. I tried uninstalling and reinstalling, and it's still happening.

  Do you have the needed font installed?
  *http://en.wikipedia.org/wiki/Punctuation

• Replace Single Quote with double quote

  Hi All,
  I have a String s="help'me'to'replace";
  i want to replace single quote( ' ) in to double quote ( " )
  The final out put should be like this help"me"to"replace
  ( Actually this string i have to pass in to an XML )
  Please help any one

  s.replaceAll("'","\"");{code}
  or just one of the String#replace() methods.
  Edited by: sabre150 on Mar 17, 2009 11:48 AM                                                                                                                                                                                                                                                               

• TWO DATASETS  WITH TWO REPORTS IN SINGLE RTF

  Hi All,
  i want to use two datasets in BIP followed by single RTF having two different reports(DS1-Table1,DS2-Table2) we are using SQL queries for the dataset please give some suggestions how to connect two diiferent datasets with two different tables in a single RTF
  note:
  output of dataset 1 should come in table 1
  output of dataset 2 should come in table 2 and both this tables are in single rtf
  we have used Concatenate operator in BIP but its doing Union and thrwing the output in single table not in two different tables please help
  regards
  bhaskar

  Table 1
       0-1 year     Over 1year     Total
  LC               0.00
  Guarantees               0.00
  Others (specify)               0.00
  Total     0.00     0.00     0.00
  =======================================================================================
  Table 2
       0-1 year     Over 1year     Total
  Unutilized Lines of Credit               0.00
  Unutilized Overdraft Facilities               0.00
  Others (specify)               0.00
  Total     0.00     0.00     0.00
  We are using two different SQl queries for the table 1 and table 2 this two tables should appear in Single RTF
  i.e sql 1 should come only in table 1
  and sql2 should come only in table 2
  i have used Concatenate operation in BIP with multiple datasets its repeating in single table1 and i am unable to split them into two tables please help on this

• Is it possible to use a single iPhone with two contact numbers via dual sim or an app?

  Is it possible to use a single iPhone with two contact numbers via dual sim or an app?
  This would be a useful feature for personal and company numbers but using one mobile, rather than carrying two devices or diverting calls.

  Then go ahead and try it.  You'll find it's probably a load of crap.
  You want 2 numbers, then use Google Voice or TalkaTone
  Those are US based only Apps or numbers so no good. I won't be wasting money by just trying something either, especially because using a dual sim would mean purchasing another sim card on either pay as you go or monthly contact.

• Start SQL Server in single user mode with parameter -m doesn't work well

  C:\Windows\system32>net start mssqlserver /m "Microsoft SQL Server Management St
  udio - Query"
  The SQL Server (MSSQLSERVER) service is starting.
  The SQL Server (MSSQLSERVER) service was started successfully.
  C:\Windows\system32>sqlcmd -S . -e
  1> go
  1> select @@servername;
  2> go
  select @@servername;
  myserver
  (1 rows affected)
  1>
  As you can see, I'm still able to connect with sqlcmd prompt to SQL Server. According production doc of SQL Server 2014, it should not be conncting by sqlcmd. it shall only be connected by SSMS.
  below the original doc on msdn:
  Start SQL Server in Single-User Mode
  Provide Feedback
  Under certain circumstances, you may have to start an instance of SQL Server
  in single-user mode by using the startup option -m. For
  example, you may want to change server configuration options or recover a
  damaged master database or other system database. Both actions require starting
  an instance of SQL Server in single-user mode.
  Starting SQL Server in single-user mode enables any member of the computer's
  local Administrators group to connect to the instance of SQL Server as a member
  of the sysadmin fixed server role. For more information, see Connect to
  SQL Server When System Administrators Are Locked
  Out.
  When you start an instance of SQL Server in single-user mode, note the
  following:
  Only one user can connect to the server.
  The CHECKPOINT process is not executed. By default, it is executed
  automatically at startup.
  Note
  Stop the SQL Server Agent service before connecting to an instance of SQL
  Server in single-user mode; otherwise, the SQL Server Agent service uses the
  connection, thereby blocking it.
  When you start an instance of SQL Server in single-user mode, SQL Server
  Management Studio can connect to SQL Server. Object Explorer in Management
  Studio might fail because it requires more than one connection for some
  operations. To manage SQL Server in single-user mode, execute Transact-SQL
  statements by connecting only through the Query Editor in Management Studio, or
  use the
  sqlcmd utility.
  When you use the -m option with sqlcmd or
  Management Studio, you can limit the connections to a specified client
  application. For example, -m"sqlcmd" limits connections to a
  single connection and that connection must identify itself as the
  sqlcmd client program. Use this option when you are starting
  SQL Server in single-user mode and an unknown client application is taking the
  only available connection. To connect through the Query Editor in Management
  Studio, use -m"Microsoft SQL Server Management Studio - Query".
  Shawn

  Hi Shawn Xiao,
  For starting SQL Server instance in single user mode, we can add –m; parameter in SQL Server Configuration Manager, also we can run CMD with ‘Run as administrator’ and input the following statement.
  NET START MSSQLSERVER /m
  I do a test in SQL Server 2014 Express version, after starting SQL with Single User Mode, SQL Server will only accept one connection. If you connect to SQL Server with a user account, the following error will occur.
  Login failed for user ‘domain\username’. Reason: Server is in single user mode. Only one administrator can connect at this time.
  However, in your situation, you can connect to SQL Server and run T-SQL statement successfully, it can be due to connection with the administrator account in your sqlcmd.
  For more information, you can review the following article.
  http://zarez.net/?p=117
  Regards,
  Sofiya Li
  Sofiya Li
  TechNet Community Support

• How to replace one double quotes with two double quotes in XSLT

  How can I replace one double quote to a two double quote in a string in XSLT
  I am passing the parameter string to XSLT template contains the value as
  <xsl:variable name="Description">Hi! "How are you</xsl:variable>
  <xsl:variable name="VQuotes">""</xsl:variable>
  I nead the output as
  Hi! ""How are you.
  Tried with Translate function, but it did not work out
  <xsl:element name="DESCRIPTION_SHORT">
            <xsl:value-of select="translate($Description,'&quot;', VQuotes)" />
          </xsl:element>But it is giving the same result as Hi! "How are you
  When I tried with
  <xsl:element name="DESCRIPTION_SHORT">
            <xsl:value-of select="translate($Description,'&quot;', 'BB')" />
          </xsl:element>
  It gave the result as
  Hi! BHow are you.
  It is replacing only one character with one. how to make it for two characters.
  Am I doing anything wrong in syntax?
  Please help.
  Regards, Vignesh S

  Hi Vignesh,
  Try this.
  Its a two step process:
  Step1: Add the following template would be "called" to do the replacement as your want:
  <xsl:template name="string-replace-all">
  <xsl:param name="text" />
  <xsl:param name="replace" />
  <xsl:param name="by" />
  <xsl:choose>
  <xsl:when test="contains($text, $replace)">
  <xsl:value-of select="substring-before($text,$replace)" />
  <xsl:value-of select="$by" />
  <xsl:call-template name="string-replace-all">
  <xsl:with-param name="text"
  select="substring-after($text,$replace)" />
  <xsl:with-param name="replace" select="$replace" />
  <xsl:with-param name="by" select="$by" />
  </xsl:call-template>
  </xsl:when>
  <xsl:otherwise>
  <xsl:value-of select="$text" />
  </xsl:otherwise>
  </xsl:choose>
  </xsl:template>
  Step2: Call the above templeate in the place where you want to call, like this:
  <!--Define the variables-->
  <xsl:variable name="Description">Hi! "How are you</xsl:variable>
  <xsl:variable name="sQuotes">"</xsl:variable>
  <xsl:variable name="VQuotes">""</xsl:variable>
  <!--Following call the template which you have defined in step1-->
  <xsl:element name="DESCRIPTION_SHORT">
  <xsl:variable name="myVar">
  <xsl:call-template name="string-replace-all">
  <xsl:with-param name="text" select="$Description" />
  <xsl:with-param name="replace" select="$sQuotes" />
  <xsl:with-param name="by" select="$VQuotes" />
  </xsl:call-template>
  </xsl:variable>
  <xsl:value-of select="$myVar" />
  </xsl:element>
  I have tested this and works. And outputs as the following with two-double quote as you want.
  <DESCRIPTION_SHORT>Hi!
  ""How are you</DESCRIPTION_SHORT>
  If this answers your question please mark it accordingly. If this post is helpful, please vote as helpful by clicking the upward arrow mark next to my reply.

• Is there a download and convert in a single step option in the flashdownloader 2.6.8. add-on? I end up with two files, one downloaded original and one converted to my chosen format.

  Files are downloaded and only then encoded, so I end up with two files in the drive.

  That has been like that since Firefox 3.0 was released in June 2008 - 7 major version releases thus far with it like that and the developers haven't changed it - so I wouldn't count on it.
  When I want to save a duplicate bookmark, I just "grab" the website image in the Location Bar and drag it into the Bookmarks Sidebar, into the folder where I want it placed. On Windows and Linux, { Ctrl + B } opens the sidebar and then just drag.

• One job with two steps - how to create one single spool?

  Hello experts,
  I have created two queries in SQVI. One is based on the table BSIK, the other on on BSAK.
  The report layout is the same in both queries.
  Now I schedule one job in SM36/SM37 with two steps corresponding to my queries.
  I want my second step to append the spool created in the first step. Is that possible?
  In order to do this I unchecked "New spool request" in the request attributes for the second step of the job.
  I use the same printer, the same format (X_65_80), but it doesnt work.
  The help on the field says
  ".... name, output device, number of prints and the format must match..." - What "name" do they mean?
  "In addition, the existent spool order must not already be competed. This can occur if a spool is released for output...." - I use "send to SAP spooler only" option, is that what thay mean? How cen you have an "uncompleted spool" in the job.
  If anybody knows ho to do this (without development!), please advise
  Best regards,
  Fatima

  Hi,
  Please do following steps :
  1. Go to transaction code SM36
  2. Do as per below screen shots
  You can see Job steps is empty
  Click on (Check and Save)
  Next Screen
  You can see one step created
  Click on Create
  You can see above it is showing as Step 2
  Give again program name and variant
  Click on (Check and Save)
  You can see two steps are created
  Go back (green arrow)
  You can see know SAP is showing 2 Step(s) successfully defined which was earlier blank
  Click on
  Next Screen
  Now schedule job as per your requirement.
  Prerequisite create variants for both the programs as we need to mention the same .
  Hope, this solves your issue else revert.
  Regards,
  Tejas

• SQL Injection with CF7 and MS SQL 2005

  I looked through a bunch of SQL injection posts and couldn't
  find a definitive answer to this...
  Let me introduce this by saying that I know I should be using
  CFQUERYPARAM with EVERY CF variable in a CFQUERY tag. No excuses.
  But for a necessary quick fix, if I only use it for numeric
  DB fields, is SQL injection still possible (using MS SQL 2005)?
  I've yet to successfully perform SQL injection while manipulating a
  variable surrounded by single quotes in the query.
  Scenario 1) select * from users where user_id=#form.user_id#
  ...is a gimme to hack, but
  Scenario 2) select * from users where
  password='#form.password#' ...is another story
  Has anyone ever heard of a successful SQL injection attack in
  a Scenario 2 situation.
  I'll fix everything up eventually, but I've got a Pen Test
  coming up soon, and a lot of raw code to review.
  Thanks

  quote:
  Originally posted by:
  Dan Bracuk
  What others can do is more relevent than what we think. When
  in doubt, test.
  very true, although my final solution went more like, "When
  in doubt, manually add about 600 cfqueryparams in 406 cfquery
  tags".

• How to convert pl/sql block into single update statement

  Dear all gurus,
  I have pl/sql block mention below, Can I convert this pl/sql block to single update statement if possible?
  If not how to optimize this block?
  Pleaese suggest.
  thanks in advance.
  Vijay
  DECLARE
  CURSOR vt_mlr_cursor IS Select master_key, user4 from vt_mlr Where USER4 is not null;
  USERFIELD VARCHAR2(100);
  C1 VARCHAR2(3); /* this will return location of first space = 12 */
  C2 VARCHAR2(3); /* this will return location of second space = 20 */
  C3 VARCHAR2(3); /* this will return location of third space = 28 */
  C4 VARCHAR2(3); /* this will return location of forth space = 35 */
  Field1 VARCHAR2(40); /* this will return FTMYFLXA04W */
  Field2 VARCHAR2(10); /* this will return VPI0043 */
  Field3 VARCHAR2(10); /* this will return VCI0184 */
  Field4 VARCHAR2(10); /* this will return 005 */
  Field5 VARCHAR2(10); /* this will return 00001 */
  Field_2_n_3 VARCHAR2(25);
  key VARCHAR2(10);
  BEGIN
  FOR vt_mlr_record IN vt_mlr_cursor
  LOOP
  key := vt_mlr_record.master_key;
  USERFIELD := vt_mlr_record.user4;
  C1 := INSTR(vt_mlr_record.user4,' ',1,1); /* this will return location of first space = 12 */
  C2 := INSTR(vt_mlr_record.user4,' ',1,2); /* this will return location of second space = 20 */
  C3 := INSTR(vt_mlr_record.user4,' ',1,3); /* this will return location of third space = 28 */
  C4 := INSTR(vt_mlr_record.user4,' ',1,4); /* this will return location of forth space = 35 */
  Field1 := SUBSTR(vt_mlr_record.user4,1,C1-1); /* this will return FTMYFLXA04W */
  Field2 := SUBSTR(vt_mlr_record.user4,C1+4,C2-C1-4); /* this will return VPI0043 */
  Field3 := SUBSTR(vt_mlr_record.user4,C2+4,C3-C2-4); /* this will return VCI0184 */
  Field4 := SUBSTR(vt_mlr_record.user4,C3+4,C4-C3-4); /* this will return 005 */
  Field5 := SUBSTR(vt_mlr_record.user4,C4+4,LENGTH(vt_mlr_record.user4)-C4-3); /* this will return 00001 */
  Field_2_n_3 := Field2 || '/' || Field3;
  /*DBMS_OUTPUT.PUT_LINE ('Current key is: ' || vt_mlr_record.master_key);*/
  UPDATE vt_mlr
  SET
  aggregator_clli = Field1,
  aggregator_vpi_vci = Field_2_n_3,
  aggregator_slot = Field4,
  aggregator_port = Field5
  WHERE
  master_key = vt_mlr_record.master_key;
  END LOOP;
  END;
  /

  Hi Vijay,
  Here's something to start with, you should be able to complete it.
  First, combine your select and update statements:
  update vt_mlr
     set aggregator_clli = field1
        ,aggregator_vpi_vci = field_2_n_3
        ,aggregator_slot = field4
        ,aggregator_port = field5
  where user4 is not null;Then put these two
  C1 := INSTR(vt_mlr_record.user4,' ',1,1); 
  Field1 := SUBSTR(vt_mlr_record.user4,1,C1-1);into
  Field1 := SUBSTR(vt_mlr_record.user4,1,INSTR(vt_mlr_record.user4,' ',1,1) -1);And put it into the update statement, removing reference to record
  (I have also removed default values for position and occurrence in instr function):
  update vt_mlr
     set aggregator_clli = substr(user4, 1, instr(user4,' ') - 1)
        ,aggregator_vpi_vci = field_2_n_3
        ,aggregator_slot = field4
        ,aggregator_port = field5
  where user4 is not null; I think you can do the rest from here ;-)
  Regards
  Peter

• How to replace single backslash(\) to double backslash(\\)

  Hi
  I want to replace single backslash to double backslash from the string.
  Code is here
  String data="File name :\n.txt;File name:\t.txt";               
  data = data.replace("\\","\\\\");
  System.out.println("-->" +data);
  i tried to this code but its not working. Help me if anyone is know.
  Please reply me asap.
  Thanks

  DVekaria wrote:
  Are you not getting my question.Obviously not. That's why we've asked you to clarify it. Twice, at least.
  whatever data contenting in Variable, it must print as its on the screen.This code does that.
  String s = "a\nb\tc;"
  System.out.println(s);The variable s contains a reference to a String object. That String object holds 5 characters: 'a', newline, 'b', tab, 'c'. The println prints out exactly what's in that String--those 5 characters. Note that there is not even one single backslash in that String.
  a
  b cThis is exactly what you asked for.
  Now let's say I create a file in Notepad, and I type the following, and then save it:
  a\nb\tcThat file contains 7 characters. 'a', '\', 'n', 'b', '\', 't', 'c'. If I read that file with Buffered reader, it will give me a String object with those same 7 charcters. If I print it out it will print out those 7 characters.
  a\nb\tcNote that in both cases, I am printing out exactly what is in the String.
  Think carefully on what is the same and what is different between those two cases, and use it to form a clearer definition of your problem. Remember, we want to know what you're trying to accomplish. Just saying "I want to replace backslashes" tells us how you're trying to solve your problem.