petdance / bobby-tables Goto Github PK

Drop all the build chain for the site, directly host with GitHub and put in a crecord for the domain.

Hi!
As far as I am aware (and able to test) ASP (classic) does not support named parameters, so the example on the page will not work.
In ASP, you use questionmarks, in place of parameternames in the query.

http://blog.presidentbeef.com/blog/2013/02/08/avoid-sql-injection-in-rails/

bobby-tables uses old style Google Analytics. Upgrade it.

https://security.stackexchange.com/questions/128412/sql-injection-is-17-years-old-why-is-it-still-around/129390

http://security.stackexchange.com/questions/25684/how-can-i-explain-sql-injection-without-technical-jargon#answer-25710

I'm pretty sure these used to work where links like http://bobby-tables.com/php would display the correct content. Now it seems that you're required to add .html which adds needless clutter to the URL.

The shorter the links are, the easier they are to fit into comments or notes, especially where character counts are relevant.

https://www.contextis.com/resources/blog/comma-separated-vulnerabilities/

http://bobby-tables.com/php.html

I should point out, that the Wordpress DB "parameter binding" is not only sprintf like, but is in fact, implemented in terms of sprintf and the queries are interpolated and sent as single queries to the database after throwing mysql_real_escape_string at them ( and a bunch of other regular expressions ).

As such, I don't believe calling it parameter binding is truthful in anyway, and there are potential security leaks hiding in wordpresses custom escaping logic.

• Calling real_escape
• Using addslashes
• String building prepare function

As requested, a ticket for the l10n feature. Since I cannot change the web server configuration, I made the decision to use subdirectories for languages other than English. This is now finished, i.e. make builds the complete site, and you just need to pull in all my changes from daxim/bobby-tables@36294d6.

The advertising for it is commit daxim/bobby-tables@00f40c1.

The Python code doesn't function as described. execute(sql, a, b) immediately does newsql=sql % (a,b), at least when I looked at it in the code I'm currently running.

It seems that https://bobby-tables.com/ has a rejected certificate because that certificate is actually for beyondgrep.com.

Would be nice to have a TLS link that can be shared.

http://motherboard.vice.com/read/the-history-of-sql-injection-the-hack-that-will-never-go-away

https://beta.companieshouse.gov.uk/company/10542519

I have been playing around with client side JavaScript source code highlighters in other projects and I think it would be useful here as well. The two key features I believe users benefit most from:

1. Language specific syntax highlighting
2. Line numbers

I am more than willing to add this feature in.

This would be useful for: VBA/VB6, ASP Classic, WSH, VBScript.

Write a page that explains why parametrized queries are a better solution than escaping all your user input.

Hi,

I quickly put the project on Transifex to allow for easy translations:

https://www.transifex.net/projects/p/bobby-tables/resource/messagespot/

Please add this link in the documentation.

The information for avoiding SQL injection in .NET is currently fragmented over 3 different pages: C#, .NET, and ASP. It should really be consolidated into a single page (with or without subpages as appropriate), and should be structured as follows:

• Direct ADO.NET
  • Using the base classes in System.Data.Common
  • Built-in providers
    • SQL Server
    • OLE DB
    • ODBC
  • Third-party providers
    • Oracle
    • Postgresql
    • MySQL
    • SQLite
• Entity Framework Core ?
• EF 6
  • ExecuteSQLCommand and ExecuteSQLCommandSync methods
  • SqlQuery method
• Dapper
• Additional ORMs

This information is the same for any .NET language -- C#, VB.NET, F#, IronPython -- and for every .NET programming environment -- ASP.NET, WPF, console application, WinForms. At best it might be good to have examples for various languages on each subsection.

One important note: some providers support named parameters (e.g. the SQL Server provider); some providers support position parameters (e.g. the OLE DB provider).

Nice resource, but I can't find any license information? Can I suggest CC-BY-SA? http://creativecommons.org/licenses/by-sa/3.0/

Hi!

I've noticed german (de_de) translation in codebase, but if I visit http://bobby-tables.com/ I don't see this translation, although my browser has German as the default language.

Add back a translations page and explain why I removed them from the main site. Explain that anyone is free to translate the site and host it on their own site. Provide links to such sites.

"quote_lteral()" should be "quote_literal()", in the paragraph of text before the example code.

On page: http://bobby-tables.com/postgresql.html

SQL injection is a big topic. Add a page of links to other sites on the topic.

To reproduce, inject some non-ascii to the related string, for example for de_DE :

msgid "Bobby Tables: A guide to preventing SQL injection"
msgstr "Bobby Tables: Ein Leitfaden gegen SQL-Einschleusungşığ"

And the header will include some garbage.

No idea how to fix that. I'll instead use html entities for this string in my translation.

I think that client-side Node is different enough from local storage that they should be done separately.

Pete Krawczyk points out that we can change URLs to MSDN.

For example, the first link on http://bobby-tables.com/de_DE/dotnet.html is

http://msdn.microsoft.com/en-us/library/system.data.sqlclient.sqlcommand.prepare.aspx

but we can change that to

http://msdn.microsoft.com/de-de/library/system.data.sqlclient.sqlcommand.prepare.aspx

I was thinking a hall of shame for tutorials and examples not using parameterization when applicable.

The PHP SQL injection protection is missing. Here it is:

$dbh = new PDO('mysql:dbname=testdb;host=127.0.0.1', $user, $password);
$stmt = $dbh->prepare('UPDATE people SET name = :new_name WHERE id = :id');
$stmt->execute( array('new_name' => $name, 'id' => $id) );

On my Mac, I currently have the de_DE/ and ru_RU/ directories building without doing any translating. Don't know why, but I do know that we need a test to make sure that we catch it.

http://www.areino.com/hackeando/ is one. There's another in the repo.

I don't know whether you'd want to list it under "Java" or "Android" -- I note that you have both "C#" and ".NET" -- but the platform provides its own database API.

The object you're running queries against can be either a ContentResolver:

Cursor result = contentResolver.query(uri, projection, selection, args, orderBy);

or an SQLiteDatabase object:

Cursor result = database.query(table, projection, selection, args, groupBy, having, orderBy);

In either case, your selection string should contain question marks, which are bound to the args array from left to right, as in this example:

static final String my_table = "users";
static final String[] my_projection = new String[] { "username", "last_login" };
String checkdate = "2015-11-01";
Cursor result = object.query(my_table, my_projection, "date(last_login) < date(?)", new String[] { checkdate }, null, null, null);

From Steve Davis [email protected]

Hey Andy,

Thanks for your bobby-tables page and language examples.

I see your todo list includes “explain why creating code from outside data is bad” and am wondering when you are going to get to that.

I definitely understand the problem of SQL injection having had one of my early sites injected and then a crude “pay me or I will show you more of your data” attempt. However I don’t understand “why creating code from outside data is bad” or even what you mean exactly.

So a rundown on the whole thing and how pg_query_params prevents injection would be excellent.

Thanks in advance

All the best

Steve

(Screenshot of home page)

If the label text would be EF that would also be fine.

I should note this is using Chromium 67.0.3396.79 on LXDE Fedora 28.
Google Chrome on Windows doesn't wrap the label.

On my Mac, expr doesn't have the substr functionality. Replace it with something else more portable, such as awk or Perl.

Show how widespread a problem SQL injection is.

https://blog.sucuri.net/2017/02/sql-injection-vulnerability-nextgen-gallery-wordpress.html

Example: Code is not monospaced; bobby cartoon doesn't load.

http://www.securesolutions.no/why-its-easy-being-a-hacker/

HTML 5 has localstorage and SQL database functionality that lets you write Javascript code that will be susceptible to the same pitfalls as any other language.

On the page http://bobby-tables.com/php.html it says
Note that the query must be in single-quotes or have the $ escaped to
avoid PHP trying to parse it as a variable

In fact, surprisingly, but by design, PHP treats double-quoted $x as
literal in the special case where x is a number. (note that variable names
must begin with a letter).

Thus:
$name="Bobby"; echo "Hello $name, this is parameter $1\n";
prints:
Hello Bobby, this is parameter $1

I also expected that this should create a parse error, and reported a bug
on it - but it is intentional in PHP.

Right now the titles say "Bobby Tables: A guide to preventing SQL injection" but on the language pages we should specify "Bobby Tables: A guide to preventing SQL injection in (Perl, Java, whatever)" outside the top page.

Ruby/DBI appears to be long gone. Some alternatives:

Sequel

http://sequel.jeremyevans.net/

DB["update customer where code = ?", "abc1"].update
DB.fetch("select * from customer where code = ?", "abc1")

RDBI

https://github.com/RDBI/rdbi

dbh.prepare("insert into tbl (string, number) values (?, ?)") do |sth|
  sth.execute("quux", 1024)
end

http://johnroach.info/2011/02/17/why-mysql_real_escape_string-isnt-enough-to-stop-sql-injection-attacks/

Markdown is far more widely used, and will be much nicer on Github.

Instead of trying to cram the SQL injection discussion on the front page, move it to its own page.

The English / Deutsch only show up in the footer of the page. The only way someone would see them is by accident. Let's put something obvious in the main page that says "Hey, there are other versions available". Or maybe even make a "Bobby Tables in other languages" page that gives links to the German and Russian pages, and also gives instructions for people who want to contribute.

MySQLdb doesn't actually do parameterized queries, but simply quietly escapes and interpolates the passed-in values behind the scenes. This means that under certain (encoding) circumstances, it could be vulnerable to SQL injection.

oursql has actual parameterization, and should probably be recommended for MySQL instead.

https://salesforce.stackexchange.com/questions/130793/build-a-string-for-database-query

If you look at the generated java page you will notice all the PreparedStatement are breaking the paragraphs and the links do not work.

This I believe is a limitation in Markdown with the link inside the backtick. That is why I left those parts within '' blocks so it would look correct and be a link.