Dynamic SQL queries are creating a new layer of security

Currently, I am working on developing a sidebar search feature wherein users can select specific options by clicking them. These selected variables are then used to generate an SQL query.

Here is the process in more detail:
1. The user chooses options from the sidebar.
2. Based on these selections, a string (which serves as a URL) is created with parameters such as 'param1=value&'...
3. An AJAX call is made to a PHP controller, which passes the parameters to the model for querying the database using $_GET.

Although I do use prepared statements eventually, there is still a vulnerability where attackers could manipulate the URL. To mitigate this risk, I have defined an array of allowed values ($keysArr). If any $_GET variables are not within this array, the script terminates. Additionally, I apply int() to expected numeric values to trigger an error if they are not integers.

$keysArr = ['x', 'y', 'z'];

foreach ($ArrfromGET as $key => $value) {
    if (!in_array($key, $keysArr)) {
        die("don't attack me");
    }
}

I am uncertain if my approach is sufficient. Since the search function relies on dynamically generated values, finding a secure solution has been challenging. The code structure was inspired by the example provided here: https://www.w3schools.com/js/js_ajax_database.asp

javascriptsqlajaxsearch

Answer №1

Feel free to give this a shot.

Just a heads up, I'm demonstrating how to secure a dynamic SQL query here.

DECLARE @ParameterDefinition NVARCHAR(MAX) 
 SET @ParameterDefinition = '  
  @P_Name NVARCHAR(50)  
 , @P_Address NVARCHAR(50)';
DECLARE @SQL  NVARCHAR(MAX);
DECLARE @Name  NVARCHAR(50) = '' //provide value here
DECLARE @Address NVARCHAR(50) = '' //provide value here

SET  @SQL = 'SELECT * FROM USER WHERE Name = @P_Name OR Address = @P_Address'
 
 
 EXECUTE sp_executesql @SQL, @ParameterDefinition,
 @P_Name = @Name,
 @P_Address = @Address

Similar questions

If you have not found the answer to your question or you are interested in this topic, then look at other similar questions below or use the search

Can you explain the significance of an Ajax call response that appears as 'for (;;); { json data }'?

Query Related: What is the purpose of adding code like "throw 1; " and "for(;;);" in front of JSON responses? I noticed this particular syntax being utilized on Facebook during Ajax calls. The presence of for (;;); at the start of the response has lef ...

ajaxjsonfacebook

Is there a way for me to acquire the Amazon Fire TV Series?

I'm currently working on developing a web app for Amazon Fire TV, and I require individual authorization for each app. My plan is to utilize the Amazon Fire TV serial number for this purpose. However, I am unsure how to retrieve this serial using Jav ...

javascripthtmlamazon-fire-tv

How can I utilize a filter or pipe to populate product categories onto screens within Ionic 2?

I am considering creating an Ionic 2 app with 6 pages, but I'm unsure whether to utilize a Pipe or a Filter for the individual category pages and how to implement the necessary code. Each category page should be able to display products from the "app ...

javascriptangulartypescriptionic2ionic3

How can I use JavaScript (specifically Reactjs/NextJs) to add a new contact to my phone from a web

I'm currently working on creating a new contact using JS. I've come across documentation for retrieving all contacts from the phone here. Are there any libraries available to assist with this task, or is it only achievable with React Native? ...

javascriptreactjsnext.js

Is it possible to perform advanced SQL-like queries on JSON data using JavaScript?

Lately, I've been faced with a challenge where I need to manipulate a JSON result using SQL commands like left joins, sum, and group by. Has anyone else come across this issue recently? I'm currently experimenting with the jsonsql JavaScript libr ...

javascriptjquerysqljson

What could be the reason for the $event variable not functioning properly in conjunction with the

Here is an example of my HTML tag with an ng-change event where I pass $event as an argument: <input type="text" ng-model="dynamicField.value" ng-change="myFunction(dynamicField,$event)"/> See below for the corresponding AngularJS function: $scope ...

javascriptangularjs

What is the best method to assign a property to a model within AngularJS by utilizing an attribute parameter?

I am in the process of creating a custom directive in AngularJS for a UI slider that can be used multiple times. Each slider should be able to bind to a specific property. My idea was to use an attribute called "property" which would automatically update w ...

javascriptangularjsangularjs-directive

Unable to find the Popper component in Material UI

Material-UI version "@material-ui/core": "^3.7.0" I have a requirement to display Popper on hover over an element, but unfortunately, the Popper is not visible. This section serves as a container for the Popper component. import PropTypes from &apos ...

javascriptreactjsmaterial-ui

Managing various conditions within a table parameter to function as "AND" instead of "OR"

I'm currently working on a page that allows users to dynamically add search conditions to filter out records. These conditions are sent to a stored procedure in a TVP format. I now need to write a query that applies these filters as "AND" instead of " ...

sqlcross-join

Having trouble fetching AJAX POST data in PHP?

Attempting to send a variable as an object to my PHP file, but it's not receiving any data. Testing with window.alert(u.un) in the AJAX call shows that data is being passed successfully without errors in the console. However, the PHP file still does n ...

javascriptphpjqueryajax

React issue: parent state becoming unresponsive when updating during input onChange event

I am currently working on a large form that consists of at least 50 input fields. I have developed a function within the form component to store the input values in the form's state: PARENT FUNCTION saveToState(details) { const { company } = thi ...

javascriptreactjs

Why do users struggle to move between items displayed within the same component in Angular 16?

Lately, I've been immersed in developing a Single Page Application (SPA) using Angular 16, TypeScript, and The Movie Database (TMDB). During the implementation of a movies search feature, I encountered an unexpected issue. Within the app\servic ...

javascriptangulartypescript

Utilize AngularJS to load pages through a single state

Is there a way to develop a method that can dynamically load the controller and template for each page as needed, upon changing routes? I am looking to enhance the state url option by including 2 parameters, with the second one being optional. This would a ...

javascriptangularjs

Is it possible to alter the HTML structure using JavaScript?

Looking to shift the positions of 2 divs using JavaScript DOM manipulation, all without altering the HTML. <div class="div1"> this should move downwards</div> <div class="div2"> while this should move upwards</div&g ...

javascripthtmldom

Ways to retrieve the state from the Redux store

While working on setting up the Redux store in my app.js file, I found myself populating it with data from the database. However, now I am faced with the task of obtaining the state of the store in a plain JavaScript file, not a React class. If I was work ...

javascriptreactjsreduxreact-reduxstates

Arranging an array of objects by their unique identifiers

Given an array of objects containing root and list elements in a tree structure, how can I efficiently organize them into a tree with an unknown depth? Each object has a parent element ID property. I am currently working on building a menu. While I have s ...

javascriptarrays

Guide to transferring a series of numerical data from a website to a server through an Ajax request

I'm facing an issue with my ajax implementation. I am trying to send an array of integers that are selected using checkboxes. The array is populated correctly, but when it is sent to the controller method, it becomes null. Here is the Ajax code snipp ...

c#jqueryajaxasp.net-mvc

After refreshing the page, the Redux action fails to dispatch

Having some trouble with redux and possibly useEffect (not sure where the mistake lies). I'm attempting to fetch data from PokeAPI and store it in the redux state. The issue is that the data retrieved about pokemons does not include their types (fire, ...

javascriptreactjsreduxreact-reduxuse-effect

Updating the rotation of a grandchild in Three.js Object3D

In my current project, I am attempting to make the grandchild of a rotated Object3D element face towards the camera using the lookAt() method. I have experimented with various approaches to achieve this. However, the source code for the Object3D.lookAt() ...

javascriptthree.jsrotation

Res.render() is failing to display content

I'm facing an issue with my express route where it's not rendering a jade template properly. If I provide the wrong jade template string, I get the usual error indicating that the file couldn't be found to render in the browser. However, wh ...

javascriptnode.jsexpress