We Keep Coding

Safe way to delete rows [closed]

Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 5 years ago.
Improve this question
I am writing code to delete a row based on ID from a SQL Server database. I want to make sure my code is safe from accidentally deleting everything or deleting something other than what it should. My code at the moment is as follows...
$st = $conn->prepare("if (select count(*) from sometable where id = :id) = 1
delete from sometable where id = :id");
$st->bindParam(':id',$id);
$st->execute();
Is this a safe way to delete a single row without accidentally deleting everything? Is there a better, known best-practices way to do it?
Edit: I am getting an error COUNT field incorrect or syntax error when testing this code.
I have changed my code accordingly to resolve this (I was hoping I could refer to the same field more than once and bind it once but apparently not)
$st = $conn->prepare("if (select count(*) from sometable where id = ?) = 1
delete from sometable where id = ?");
$st->execute(array($id,$id));
(Might as well use my question to troubleshoot since stackoverflow won't let me delete it)

Is this a safe way to delete a single row without accidentally deleting everything?
Yes, as long as your ID's are unique for each row.
Is there a better, known best-practices way to do it?
No.

hex encode in sql injection [closed]

Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 8 years ago.
Improve this question
http://www.pwntester.com/blog/2014/01/15/hackyou2014-web100-write-up/
At this link, They have injected by hex code like
0x39393939393939393939393920756e696f6e20616c6c202873656c656374202748656c6c6f21212729
meaning:
999999999999 union all (select 'Hello!!')
In mysql,we cannot type a query like
Mysql> 0x0abcd... (assume that 0x0abc.. mean select * from...).
So, Can you explain for me why can they inject as in my link?
p/s: Sorry about my poor English.

The SQL injection does not happen in the INSERT statement but in the second SELECT statement:
"SELECT title FROM picture WHERE id = ".$r['id']
Here $r['id'] is the recently inserted ID, i. e., the user supplied $_POST['id'] value.
Now the reason for why this SQL injection works is MySQL’s support for hexadecimal literals and the fact that the id column of the vote table is of a string type as in that case the following applies:
In string contexts, they act like binary strings, where each pair of hex digits is converted to a character:
mysql> SELECT X'4D7953514C';
-> 'MySQL'
mysql> SELECT 0x0a+0;
-> 10
mysql> SELECT 0x5061756c;
-> 'Paul'
For PHP 0x… is numeric (i. e., is_numeric) and for MySQL 0x… is interpreted and stored as string, which later gets inserted into the above mentioned SELECT statement.
This wouldn’t be possible if either
id would have been a numeric data type, or
the SELECT would have been a prepared statement.

This is already answered in the comments on that blog post. The hex string must be run through PHP, or some other system which incorrectly passes the value to MySQL as a string (instead of a number), in order for this "hack" to work.

how to add quotes to a search string for an exact match? [closed]

Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 8 years ago.
Improve this question
I have some code here for a song request program. And it works just fine other than the user has to use surrounding quotes for an exact match. I am wondering how I would go about having the php add the quotes so the user can type a band or song title as normal without having to read the small help notice saying to use quotes?

You can concate quotes in after if you like.
$termToSearch = '"' . $termFromUser . '"';
$query = 'SELECT * FROM table WHERE song = :song'
$statement = $this->db->prepare($query);
$statement->bindValue(':song', $termToSearch);
$statement->execute();
$statement->closeCursor();

Just use "=" instead of "LIKE"
SELECT * FROM table WHERE column = '$searchterm'

Pdo update with variables inside the query [closed]

Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 9 years ago.
Improve this question
Ok so i store the column i want to update in side a variable so i need to put the variable in side the main query i try and do it like so
$sqlltyryrt = "UPDATE user_items SET :fggdgdf = :fggdgdf +1 WHERE username=?";
$qqqqq = $db->prepare($sqlltyryrt);
$qqqqq->execute(array('fggdgdf'=>$fggdgdf),$_SESSION['username']);
I have searched for an answer and have found a thread here on the site doing the same:
Using a passed variable in a query using PDO (Oct 2011; by Don S)

$sqlltyryrt = "UPDATE user_items SET :fggdgdf = :fggdgdf +1 WHERE username=?";
$qqqqq = $db->prepare($sqlltyryrt);
$qqqqq->execute(array('fggdgdf'=>$fggdgdf),$_SESSION['username']);
You can't bind the names of columns; so that isn't going to work. There's no way to use a bound variable for a column or table name, so the only way to do this is to actually interpolate the variables into the string:
$sqlltyryrt = "UPDATE user_items SET $fggdgdf = $fggdgdf +1 WHERE username=?";
$qqqqq = $db->prepare($sqlltyryrt);
$qqqqq->execute(array($_SESSION['username']));
But you need to be very sure that you've sanitized the variables, else you're open to SQL injection. You can use whitelisting for this, as you should be able to generate an array of possible column names and can check that the variables are present in that array.
But the fact that you're trying to bind the names of comments implies that your database design could do with looking at.

How to add entries to mysql db using API..? [closed]

Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 8 years ago.
Improve this question
I am new to PHP and mysql and i am trying to make API's for my iphone app.
So far i have been able to connect and retrive data from my sql database now m trying to make entries to it using API's and parameters.
Can anyone help me out here please.
Thanks alot!!

If by to make entries you mean adding data to the database.
You do this in the same way that you select data.
Instead of issuing a select statement like:
SELECT x,y,z FROM table1
You do:
INSERT INTO table1 (x,y,z) VALUES ('a', 1, 'test')
Or:
UPDATE table1 SET x = 'b' WHERE x = 'a'
How you pass parameters depends on the API you use.
It is best (safest) to use PDO to pass parameters.
How to get parameters out of a url
In order to get the parameters out of the url (e.g.: example.com/test.php?username=xyz&password=!##$%) do:
$username = mysql_real_escape_string($_GET['username']);
$password = mysql_real_escape_string($_GET['password']);
$query = "SELECT * FROM users WHERE username = '$username'
AND passhash = sha2(CONCAT(salt,'$password'),512)";
Note that it's vital to put single quotes around the injected variable names when using mysql_real_escape_string() or the escaping will be useless. Used like this the code is 100% secure from SQL-injection.
If you're using PDO, you can drop the mysql_real_escape_string() if not you need it to prevent SQL-injection.
Links
http://dev.mysql.com/doc/refman/5.5/en/update.html
http://dev.mysql.com/doc/refman/5.5/en/insert.html
http://php.net/manual/en/ref.pdo-mysql.php
https://stackoverflow.com/search?q=%5Bphp%5D+%5Bmysql%5D+pdo
http://php.net/manual/en/reserved.variables.get.php
http://php.net/manual/en/function.mysql-real-escape-string.php