sql-parametrized-query

SQL Parametrized query for database backup is reported as sql injection by sonarqube [closed]

六眼飞鱼酱① 提交于 2021-01-07 01:39:49
问题 Closed . This question needs details or clarity. It is not currently accepting answers. Want to improve this question? Add details and clarify the problem by editing this post. Closed yesterday . Improve this question I have several SQL injection security hotspots reported by SonarQube. I've changed my implementation to use parametrized queries but the issue hasn't been solved. SonarQube is reporting SQL Injection at The following line: SqlCommand cmd = new SqlCommand(cmdTxt, con); How may i

Why does using parameterized queries or entity framework prevent sql injection?

北城余情 提交于 2020-02-27 07:24:32
问题 I've got a good grasp on SQL injection. It's when a SQL query that is supposed to be something like SELECT FirstName, LastName FROM Customers WHERE CustomerId = @valueFromApplication Gets turned into a query like SELECT FirstName, LastName FROM Customers WHERE CustomerId = '' ; DROP DATABASE Foo -- When the user inserts a malicious value into your app, website, client, whatever.. I'm also aware that instead of just dropping the DB the attacker can try to discover the names of tables and get

Npgsql parameterized query output incompatible with PostGIS

只谈情不闲聊 提交于 2019-12-23 14:21:44
问题 I have this parameterized query in an Npgsqlcommand: UPDATE raw.geocoding SET the_geom = ST_Transform(ST_GeomFromText('POINT(:longitude :latitude)', 4326),3081) WHERE id=:id :longutide and :latitude are double , and id is int . The query that is actually run against the DB looks like this: UPDATE raw.geocoding SET the_geom = ST_Transform(ST_GeomFromText('POINT(((E'-96.6864379495382')::float8) ((E'32.792527154088')::float8))', 4326),3081) WHERE id=((10793455)::int4) Thanks to help from Erwin

How can I securely allow user defined SQL queries?

岁酱吖の 提交于 2019-12-22 03:44:36
问题 I want to allow users to query a database with some fairly flexible criteria. I could just use the following: String slqCmdTxt = "SELECT * FROM TheTable WHERE " + userExpression; However, I know this is wide open to SQL injection. Using parameters is good, but I don't see a way to allow very flexible queries. How can I allow flexible database queries without opening myself up to SQL injection? More Details: There are really two tables, a master and a secondary with attributes. One master

Is there any safe way to parameterize database names in MySQL queries?

一曲冷凌霜 提交于 2019-12-19 10:10:52
问题 I'm writing a little python script to help me automate the creation of mysql databases and associated accounts for my personal projects. Part of this script is a function that takes the database name as a string, then goes to create the database. def createDB(dbConn, dbName): import MySQLdb c = dbConn.cursor() query = """CREATE DATABASE %s;"""; c.execute(query, (dbName,)) This doesn't work because MySQL's CREATE DATABASE asks for the unquoted name of the database, as in CREATE DATAbASE test

SQL SSRS-several conditions in one report

心已入冬 提交于 2019-12-13 10:22:33
问题 I am creating a tabular report with several conditions. As a case in point, the conditions could be either of these: X is NULL X is not NULL X like '%Y%' I want to create a kind of drill through report with the capability of selecting one of the above conditions. Now I am creating three tables and use IIF for the visibility of each. I add the parameter to visibility and by selecting one condition the related table becomes visible and the other two becomes hidden. But I am thinking of just a

Parametrizing SQL script

别等时光非礼了梦想. 提交于 2019-12-12 02:46:37
问题 I have to make SELECT column1,column2 INTO OUTFILE 'out_1.csv' FROM table1 WHERE column1.name = '1' SELECT column1,column2 INTO OUTFILE 'out_2.csv' FROM table1 WHERE column1.name = '2' SELECT column1,column2 INTO OUTFILE 'out_3.csv' FROM table1 WHERE column1.name = '3' and so on... I thought it was a good idea to do something like: SELECT column1,column2 INTO OUTFILE 'out_$1.csv' FROM table1 WHERE column1.name = $1 and pass the parrameter $1 through a UNIX shell script. But maybe there's a

Why is using a parameterized query to insert data into a table faster than appending the values to the query string?

最后都变了- 提交于 2019-12-08 19:32:00
问题 Why is using a parameterized query to insert data into a table: string queryString = "insert into product(id, name) values (@id, @name)"; faster than appending the values to the query string: string queryString = "insert into product(id, name) values (" + _id + ", " + _name + ")"; ? When I use the command in a loop to insert 10K rows, the parameterized query is an order of magnitude faster than the other one. I know a parametrized query has security and maintainability benefits, and it's the

java - Multipile update statements in MySql

流过昼夜 提交于 2019-12-07 19:10:34
问题 so I have a software which basically downloads 1.5K game server address from my MySQL db. It then pings all of them and then upload the information such as online players back to the database. The process looks like this: Download server address Ping the servers and get information Upload information back to the database So far I have been able to solve the part where it download the server host name and pings them but the problem arises when updating the servers. To update I thought about

java - Multipile update statements in MySql

不问归期 提交于 2019-12-06 05:49:12
so I have a software which basically downloads 1.5K game server address from my MySQL db. It then pings all of them and then upload the information such as online players back to the database. The process looks like this: Download server address Ping the servers and get information Upload information back to the database So far I have been able to solve the part where it download the server host name and pings them but the problem arises when updating the servers. To update I thought about using a for loop to construct one BIG string of many update statements and execute it at once but this is