Question : Read it carefully, we have this query which is inserting values in the table called users. For the […]
SQL injection in Postgres functions vs prepared queries
Question : In Postgres, are prepared queries and user defined functions equivalent as a mechanism for guarding against SQL injection? […]
Wildcard search using parameters in function with dynamic SQL
Question : What is the proper way to implement a wildcard search in PostgreSQL when using a parameter in a […]
Safely quoting type names to protect against SQL-injection
Question : How would I quote the type name to protect against SQL Injection. For example, take this SELECT FORMAT(‘SELECT […]
Does concating a string like this open me up to SQL injection?
Question : I recently answered a question with the following code sample: Create Table #Testing ( emaildomain varchar(100) — Still […]
How to make PostreSQL functions private (inaccessible to end users)?
Question : When writing a set of PostgreSQL functions with procedural languages, is it possible to make some of the […]
Security Risks with having Test Stored Procedures that have SQL Injection Vulnerability
Question : I noticed that some of the stored procedures used in our integration tests for data generation have SQL […]
Trace and analyze logs on SQL Server
Question : I am using an SQL Server 2012 on windows datacenter 2012 I have encountered a situation where i […]
What function quotes an identifier in dynamic-sql with SQL Server?
Question : What is the SQL Server method of safe-quoting identifiers for dynamic sql generation. MySQL has quote_identifier PostgreSQL has […]
Is there any way to break out of the string and inject SQL without using a single quote in oracle?
Question : I’m testing an oracle based application and I’ve found the following code: Query = “SELECT name FROM employees […]