-
Notifications
You must be signed in to change notification settings - Fork 85
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #17 from kimmel/master
Added notes on Perl taint mode. Converted from Textile to Markdown. Added a content license.
- Loading branch information
Showing
32 changed files
with
689 additions
and
692 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
ASP | ||
=== | ||
|
||
objCmd.CommandType = adCmdText; | ||
objCmd.CommandText = "UPDATE members SET photo = @filename WHERE memberID = @memberID"; | ||
objCmd.Parameters.Append(objCmd.CreateParameter("@memberID", adInteger, adParamInput, 4, memberid )); | ||
objCmd.Parameters.Append(objCmd.CreateParameter("@filename", adVarChar, adParamInput, 510, fileName)); | ||
objCmd.Execute(adExecuteNoRecords); | ||
gblDelobjParams(objCmd); | ||
|
||
To do | ||
----- | ||
|
||
Add some narrative |
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,33 @@ | ||
ColdFusion | ||
========== | ||
|
||
In ColdFusion there is a tag called <code class="inline">cfqueryparam</code> that should be used whenever writing inline queries. | ||
|
||
<cfquery name="queryTest"> | ||
SELECT FirstName, LastName, Phone | ||
FROM tblUser | ||
WHERE Status = | ||
<cfqueryparam cfsqltype="CF_SQL_VARCHAR" value="#form.status#"> | ||
</cfquery> | ||
|
||
|
||
Stored procedures can be invoked with the <code class="inline">cfstoredproc</code> and <code class="inline">cfprocparam</code> tags. | ||
|
||
Recent versions of ColdFusion provide a set of functions to run queries that | ||
have a slightly different syntax, but still provide parameterized queries. | ||
|
||
|
||
<cfscript> | ||
var myQuery = new Query(sql=" | ||
SELECT FirstName, LastName, Phone | ||
FROM tblUser | ||
WHERE Status = :status | ||
"); | ||
myQuery.addParam( | ||
name = "status", | ||
value = form.status, | ||
cfsqltype = "cf_sql_varchar" | ||
); | ||
var rawQuery = myQuery.execute().getResult(); | ||
</cfscript> | ||
|
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,22 @@ | ||
C\# | ||
=== | ||
|
||
From the [C# Online](http://en.csharp-online.net/) wiki page [ASP.NET Security Hacks--Avoiding SQL Injection](http://en.csharp-online.net/ASP.NET_Security_Hacks%E2%80%94Avoiding_SQL_Injection) | ||
|
||
|
||
SqlCommand userInfoQuery = new SqlCommand( | ||
"SELECT id, name, email FROM users WHERE id = @UserName", | ||
someSqlConnection); | ||
|
||
SqlParameter userNameParam = userInfoQuery.Parameters.Add("@UserName", | ||
SqlDbType.VarChar, 25 /* max length of field */ ); | ||
|
||
// userName is some string valued user input variable | ||
userNameParam.Value = userName; | ||
|
||
Or simpler: | ||
|
||
|
||
String username = "joe.bloggs"; | ||
SqlCommand sqlQuery = new SqlCommand("SELECT user_id, first_name,last_name FROM users WHERE username = ?username", sqlConnection); | ||
sqlQuery.Parameters.AddWithValue("?username", username); |
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
Delphi | ||
====== | ||
|
||
To use a prepared statement, do something like this: | ||
|
||
query.SQL.Text := 'update people set name=:Name where id=:ID'; | ||
query.Prepare; | ||
query.ParamByName( 'Name' ).AsString := name; | ||
query.ParamByName( 'ID' ).AsInteger := id; | ||
query.ExecSQL; |
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
.NET | ||
==== | ||
|
||
Reference: | ||
|
||
- [SqlCommand.Prepare](http://msdn.microsoft.com/en-us/library/system.data.sqlclient.sqlcommand.prepare.aspx) in the .NET Framework Class Library | ||
|
||
Articles: | ||
|
||
- [SQL injection](http://msdn.microsoft.com/en-us/library/ms161953.aspx) on MSDN | ||
- [SQL Injection and how to avoid it](http://blogs.msdn.com/tom/archive/2008/05/29/sql-injection-and-how-to-avoid-it.aspx) on the ASP.NET Debugging blog | ||
|
||
To do | ||
----- | ||
|
||
- Add some narrative | ||
- Show code examples |
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,86 @@ | ||
Who is Bobby Tables? | ||
==================== | ||
|
||
<p> | ||
<a href="http://xkcd.com/327/"><img src="img/xkcd.png" alt="xkcd Bobby Tables Cartoon" /></a> | ||
<a href="http://xkcd.com/327/">From the comic strip xkcd</a><br /> | ||
<b>School</b>: "Hi, this is your son's school. We're having some computer trouble."<br /> | ||
<b>Mom</b>: "Oh, dear -- Did he break something?"<br /> | ||
<b>School</b>: "In a way. Did you really name your son Robert'); DROP TABLE Students;-- ?"<br /> | ||
<b>Mom</b>: "Oh. Yes. Little Bobby Tables we call him."<br /> | ||
<b>School</b>: "Well, we've lost this year's student records. I hope you're happy."<br /> | ||
<b>Mom</b>: "And I hope you've learned to sanitize your database inputs."<br /> | ||
(title text: "Her daughter is named Help I'm trapped in a driver's license factory.") | ||
</p> | ||
|
||
How to avoid Bobby Tables | ||
========================= | ||
|
||
There is only one way to avoid Bobby Tables attacks | ||
|
||
- Do not create SQL statements that include outside data. | ||
- Use parameterized SQL calls. | ||
|
||
That's it. Don't try to escape invalid characters. Don't try to do it yourself. Learn how to use parameterized statements. Always, every single time. | ||
|
||
The strip gets one thing crucially wrong. The answer is not to "sanitize your database inputs" yourself. It is prone to error. | ||
|
||
Examples | ||
======== | ||
|
||
See the sidebar to the left for your specific language. | ||
|
||
Other random resources | ||
====================== | ||
|
||
- [SQL Injection Myths and Fallacies](http://www.slideshare.net/billkarwin/sql-injection-myths-and-fallacies) | ||
- [http://www.schneier.com/blog/archives/2008/10/how_to_write_in.html](http://www.schneier.com/blog/archives/2008/10/how_to_write_in.html) | ||
- [http://st-curriculum.oracle.com/tutorial/SQLInjection/](http://st-curriculum.oracle.com/tutorial/SQLInjection/) | ||
|
||
Patches welcome | ||
=============== | ||
|
||
Don't see a language that you'd like to see represented? Please let me know if you have updates or additions through one of these methods, in decreasing order of preference. | ||
|
||
- Fork the [bobby-tables repository at github](http://github.com/petdance/bobby-tables), make your changes, and send me a pull request. | ||
- Add an issue in the [issue tracker](http://github.com/petdance/bobby-tables/issues). | ||
- Email me, Andy Lester, at andy at petdance.com. | ||
|
||
Translations also welcome | ||
========================= | ||
|
||
Help translate this site! There are only 100 phrases. No programming necessary. | ||
|
||
See the instructions at the [bobby-tables repository at github](http://github.com/petdance/bobby-tables#readme). | ||
|
||
To do | ||
===== | ||
|
||
- Explain why creating code from outside data is bad. | ||
- Potential speed win when reusing prepared statements. | ||
|
||
Thanks | ||
====== | ||
|
||
Thanks to the following folks for their contributions: | ||
|
||
- Kirk Kimmel | ||
- Nathan Mahdavi | ||
- [Hannes Hofmann](http://www5.informatik.uni-erlangen.de/en/our-team/hofmann-hannes) | ||
- [Mike Angstadt](http://www.mangst.com) | ||
- [Peter Ward](http://identi.ca/flowblok/) | ||
- [David Wheeler](http://justatheory.com) | ||
- Scott Rose | ||
- Erik Osheim | ||
- Russ Sivak | ||
- [Iain Collins](http://iaincollins.com) | ||
- Kristoffer Sall Hansen | ||
- Jeff Emminger | ||
- [Travis Swicegood](http://www.travisswicegood.com/) | ||
- [Will Coleda](http://www.coleda.com/users/coke/) | ||
- Kai Baesler | ||
- Mike Markley | ||
- [Michael Schwern](http://schwern.dreamhosters.com/) | ||
- [Jeana Clark](http://jeanaclark.org/) | ||
- [Lars Dɪᴇᴄᴋᴏᴡ](http://search.cpan.org/~daxim/) | ||
- [Jani Hur](http://www.jani-hur.net) |
Oops, something went wrong.