Menu
I use shell script to communicate to a MySQL database. MySQL supports specifying query as a shell argument, like this:
mysql my_db -B -N -e "select id from Table"
However, if I have a parameter, which I'd like to use in a query, how can I get protection against injection attacks?
A naive way is to just paste variable value to the request, but it's not very secure:
mysql my_db -B -N -e "select id from Table where name='$PARAM'"
Are there any tricks or documented interfaces to make an injection-safe queries from command line?
878
How to Prevent an SQL Injection. The only sure way to prevent SQL Injection attacks is input validation and parametrized queries including prepared statements. The application code should never use the input directly.
SQL injections typically fall under three categories: In-band SQLi (Classic), Inferential SQLi (Blind) and Out-of-band SQLi. You can classify SQL injections types based on the methods they use to access backend data and their damage potential.
Properly parameterizing your dynamic SQL allows you to not only pass values in, but also to get values back out. In this example, @x and @y would be variables scoped to your stored procedures. They aren't available within your dynamic SQL, so you pass them into @a and @b , which are scoped to the dynamic SQL.
You can base64 encode the value, and then base64 decode it once it's in MySQL. There are UDFs in MySQL for converting Base64 data to common data. Additionally, most systems either have uuencode, or the 'base64' command for base64 encoding data.
123
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
