As long as you’re using Prepare or Query, you’re safe. // this is safe db.Query(“SELECT name FROM users WHERE age=?”, req.FormValue(“age”)) // this allows sql injection. db.Query(“SELECT name FROM users WHERE age=” + req.FormValue(“age”))
Yes, it does. Only the second one is dangerous.
Query q = sessionFactory.getCurrentSession().createQuery(“from LoginInfo where userName = :name”); q.setParameter(“name”, userName); List<LoginInfo> loginList = q.list(); You have other options too, see this nice article from mkyong.
An obligatory addendum from 2020: Dealing with characters was proven to be inefficient and obsoleted You must use prepared statements and forget about escaping, “dangerous characters” or any of that business. Using parameterized queries is considered the only proper way to protect from SQL injections, for the reasons provided in the original answer below: Which … Read more
It looks like an overflow attack. They UNION-ed with your existing query. replacing all your %20 with (space) since its url-encoded yields: =-999.9 UNION ALL SELECT CONCAT(0x7e,0x27,Hex(cast(database() as char)),0x27,0x7e),0x31303235343830303536,0x31303235343830303536,0x31303235343830303536- break it down: the =-999.9 is just ending your current query 0x31303235343830303536 is NULL – they are just matching the number of columns in your existing … Read more
Prepared statement: A reference to a pre-interpreted query routine on the database, ready to accept parameters Parametrized query: A query made by your code in such a way that you are passing values in alongside some SQL that has placeholder values, usually ? or %s or something of that flavor. The confusion here seems to … Read more
This is just a test for injection. If an attacker can see xQs in the output then they’ll know injection is possible. There is no “risk” from this particular query. A developer should pay no attention to whatever injection mechanisms, formats or meanings – these are none of his business. There is only one cause … Read more
Sequelize escapes replacements, which avoids the problem at the heart of SQL injection attacks: unescaped strings. It also supports binding parameters when using SQLite or PostgreSQL, which alleviates the risk further by sending the parameters to the database separately to the query, as documented here: Bind parameters are like replacements. Except replacements are escaped and … Read more