Problems the query takes me as Alert Injection SQL

Question

Problems the query takes me as Alert Injection SQL

Navigation

#1 by (2 votes)

1

Thank you in advance for answering.

The problem is that when I run the following query I get an alert injection SQL .

\!/ ALERTA !!!!!

[09 Aug 2016 10:45:30] <br>
TIPO: SQL INJECTION-INTERNO <br>
URL ATAQUE: /gci//workflowgestion/workflowgestion.php <br>
CAMPO: sql <br>
ATAQUE: UPDATE detalleplannorma SET dtleplnanrma_observacion = ('FLUJO ENVIADO - ' + COALESCE(dtleplnanrma_observacion, '') ) <br>
, wrkogsto_id = #wrkogsto_id# WHERE dtleplnanrma_id = 404 <br>
DESCRIPCION: update detalleplannorma set dtleplnanrma_observacion =|||||dtleplnanrma_observacion <br>
IP: ::1 <br>
SERVER-NAME: localhost <br>
-----------------------------------------------------

This is the function that runs when I click to update; I think it's because the SQL is sent through the URL, although I'm not sure. I would really appreciate it.

<script>
                $(function(){ <br>

                    $("#workflow").click(function(){ <br>

gestionar_workflow ('<?=$PATH_GCI?>/workflowgestion/workflowgestion.php', '<?=$wrko_id?>', '<?=$asunto_workflow?>', '<?=$crgo_id?>', '<?=$sql_workflow?>', 'GCI', '<?=$wrkogsto_id?>', 'MODAL', '');
<br>
    $('body').on('dialogclose', '#dialog-window-gci-workflow', function(){
<br>
                            window.open('<?=$window_open_after?>');
                            <br>
                            $('#dialog-window-gci').on('dialogclose',
<br> function(){ 
            <br>                    $('body').find('table[id^="grid_modulo_"]').each(function(){
<br>
                                    $(this).trigger('reloadGrid');
<br>
                                });
<br>
                            });
<br>
                        });
<br>
                    });
<br>
                }); 
<br>
            </script>

sql javascript sql-server

asked by Manuel Mosquera 09.08.2016 в 18:06

source

1 answer

Register sale with its retail detail through transactions in a stored procedure MYSQL Rotate an ImageButton on Android

score 2 · Answer 1

SQL statements must not be string concatenation, as a attacker can inject statements into the dtleplnanrma_observation variable. For a secure replacement you must use parameters, according to the driver / database so that your sentence is something similar to:

UPDATE detalleplannorma SET dtleplnanrma_observacion = 'FLUJO ENVIADO - ' + COALESCE(?, '')