Jump to content

SQL Injection


Recommended Posts

By the way, I see you never developed for the WEB before. Such code

SQL.Add('SELECT * FROM Actif ');
SQL.Add('WHERE (act_id='''+ IntToStr(FrmClientInput.idActif)+''')');

is asking for SQL Injection attack if you try to insert some user input. For the love of god, please at least use query parameters instead. Even better go read something about safe web programming.


Really , what is the appropriate way to avoid SQL Injection attacks?

Can you please show a fast guide of things we should and should not do during web programming?

Link to comment
Share on other sites

Use Params to pass user input values to your database., like this


qry.SQL.Text := 'update users set name=:name where uid=:uid';
qry.ParamByName( 'name' ).AsString := Sanitize(edname.txt);
qry.ParamByName( 'uid' ).AsInteger := uid; // not user input


Sanitize depends on database., If using Zeos with Mysql you can use mysql_real_escape_string() in ZPlainMySqlDriver.pas


Unfortunately there is no quick solution





Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...