Question : What is the SQL Server method of safe-quoting identifiers for dynamic sql generation. MySQL has quote_identifier PostgreSQL has […]
Tag: sql-injection
Is there any way to break out of the string and inject SQL without using a single quote in oracle?
Question : I’m testing an oracle based application and I’ve found the following code: Query = “SELECT name FROM employees […]
Closing bracket ‘]’ in LIKE wildcard
Question : I have a query that looks a bit like this: SELECT * FROM Stuff WHERE name LIKE ‘[a]]%’ […]
Is this SP safe to SQL Injection?
Question : CREATE PROCEDURE [sp_Test] ( @param nvarchar(Max) ) AS BEGIN DECLARE @Output nvarchar(Max) = N’Select ‘ + @param Select […]
PostgreSQL. Is using random tag in dollar quoting without escaping input safe?
Question : Is that safe to run such query without escaping input? Assume noone can guess the random string I […]
Do stored procedures prevent SQL injection?
Question : Is it true that stored procedures prevent SQL injection attacks against PostgreSQL databases? I did a little research […]
Why most of Sql Injection need url like this “index.asp?id=123”
Question : I am trying to learn “SQL Injection” concepts and also trying to practice some Kali tools to learn, […]
SQL Injection penn testing from the queries only
Question : Is there an established method or tool available to perform pen testing on an application by only testing […]
Building Dynamic SQL-Server Where Clause
Question : Let us review this dba.exchange Oracle question for SQL-Server. This is SaUce’s code, after a little formatting: CREATE […]
Inject aggregation function inside a procedure
Question : Is it possible to inject the name of a function (AVG, MAX…) as a procedure parameter? CREATE PROCEDURE […]