sqlsql-injectionrdbms
Is blocking query commands enough to prevent SQL injection?
I'm a beginner in the field of databases, and I'm about to understand, how free text inputs for queries might be used to compromise a database via SQL injection.
Actually, the relevant xckd sums it up perfectly:
This certain comic implies that if I don't allow users to form ANY kind of input that contains SQL commands (like DROP, UPDATE, INSERT INTO, etc.) then "illegal" SQL queries can't be done.
Is there anything I miss? Or am I right?
Solution
You don't have to ban all SQL commands from your inputs, you just need to make sure they are only ever treated as free text so that they cannot be accidentally executed as a command.
This is probably a good place to start:
- Math.Sin() gives incorrect value
- How to run my python script when the sunOS is start booting
- Express-session: not resetting cookie expiration on each request
- Getting a stack overflow exception when normalizing a vector
- Edit default summary function in R gives error for multiple variables
- What was a For loop? Why isn't it needed in R?
- How to use download button in shiny and save results in various formats (csv, texte, pdf, spss...)?
- Why are there two assignment operators, `<-` and `->` in R?
- lm()$assign: what is it?
- How to get the value of list(...) in R and S functions
- Design matrix for MLM from library(lme4) with fixed and random effects
- how to generate elements not included in my sample
- Create a matrix with gradually changing values without a for loop
- Emacs ESS and S-plus ( S+ ) 8.1 compatability
- How to lag date-index in a time-series in R?
- Nonlinear regression in R / S
- Calling R from S-Plus?