SQL Security

SQL Injection

aka SQLi

![[image-20221201103417882.png]]

end users can run arbitrary SQL on your database

Types

• Boolean based
  • /employees?name=xyz'; OR 1=1--
  • gets all the employees
• time based
  • /employees?name=xyz'; SELECT pg_sleep(5)--
  • will return a 500 error after 5 seconds
  • if you do this a ton of times --> connection exhaustion
  • dangerous because it's silent
• data tampering
  • /employees?name=xyz'; UPDATE employees_employee SET

CVE - common vulnerabilities and exploits

CVE - PostgreSQL

Use ORMs

Employee.objects.raw(f"""
  SELECT name FROM employee WHERE
-  name='{name}'"""
+  name=%s""", name
)

---

Last update: 2023-04-24