Databases
StackOverflow2013
Postsdbo
PO
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PO
    primarykey
    data
    text
    <p>Stored Procedures and/or prepared statements:</p> <p><a href="https://stackoverflow.com/questions/1973/what-is-the-best-way-to-avoid-sql-injection-attacks">https://stackoverflow.com/questions/1973/what-is-the-best-way-to-avoid-sql-injection-attacks</a></p> <p><a href="https://stackoverflow.com/questions/139199/can-i-protect-against-sql-injection-by-escaping-single-quote-and-surrounding-us">Can I protect against SQL Injection by escaping single-quote and surrounding user input with single-quotes?</a></p> <p><a href="https://stackoverflow.com/questions/1284/catching-sql-injection-and-other-malicious-web-requests">Catching SQL Injection and other Malicious Web Requests</a></p> <p>With Access DB, you can still do it, but if you're already worried about SQL Injection, I think you need to get off Access anyway.</p> <p>Here's a link to the technique in Access:</p> <p><a href="http://www.asp101.com/samples/storedqueries.asp" rel="nofollow noreferrer">http://www.asp101.com/samples/storedqueries.asp</a></p> <p>Note that what typically protects from injection is not the stored procedure itself, but that fact that it is parameterized and not dynamic. Remember that even SPs which build dynamic code can be vulnerable to injection if they use parameters in certain ways to build the dynamic code. Overall, I prefer SPs because they form an interface layer which the applications get to the database, so the apps aren't even allowed to execute arbitrary code in the first place.</p> <p>In addition, the execution point of the stored procedure can be vulnerable if you don't use command and parameters, e.g. this is still vulnerable because it's dynamically built and can be an injection target:</p> <pre><code>Conn.Execute("EXEC usp_ImOnlySafeIfYouCallMeRight '" + param1 + "', '" + param2 + "'") ; </code></pre> <p>Remember that your database needs to defend its own perimeter, and if various logins have rights to <code>INSERT/UPDATE/DELETE</code> in tables, any code in those applications (or compromised applications) can be a potential problem. If the logins only have rights to execute stored procedures, this forms a funnel through which you can much more easily ensure correct behavior. (Similar to OO concepts where objects are responsible for their interfaces and don't expose all their inner workings.)</p>
    singulars
    1. This table or related slice is empty.
    1. POClassic ASP SQL Injection Protection
      singulars
      1. PTQuestion
    1. PTAnswer
    1. USCommunity
    1. USCade Roux
    plurals
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. POClassic ASP SQL Injection Protection
      singulars
      1. PTQuestion
    1. This table or related slice is empty.
    1. VO
      singulars
      1. PO
      1. This table or related slice is empty.
      1. VTUpMod
    2. VO
      singulars
      1. PO
      1. This table or related slice is empty.
      1. VTAcceptedByOriginator
    3. VO
      singulars
      1. PO
      1. This table or related slice is empty.
      1. VTUpMod
    1. This table or related slice is empty.
 

Querying!

 
Guidance
A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload