prepared-statement

What characters are NOT escaped with a mysqli prepared statement?

不打扰是莪最后的温柔 提交于 2019-12-04 03:51:38
问题 I'm trying to harden some of my PHP code and use mysqli prepared statements to better validate user input and prevent injection attacks. I switched away from mysqli_real_escape_string as it does not escape % and _. However, when I create my query as a mysqli prepared statement, the same flaw is still present. The query pulls a users salt value based on their username. I'd do something similar for passwords and other lookups. Code: $db = new sitedatalayer(); if ($stmt = $db->_conn->prepare(

Do I need to use (int)$id before I use $id in bindValue in Php PDO

谁说胖子不能爱 提交于 2019-12-04 02:27:28
问题 I just started using Php Data Objects and one thing I'm not sure about is do I have to validate that some variable is an integer before using it in the query. For example, like this: $id = (int)$_POST['id']; // is this required $query = $pdo->prepare("SELECT * FROM `articles` WHERE `id` = ?"); $query->bindValue(1, $id); $query->execute(); 回答1: No it's not required for two reasons: You're letting PDO know that you are going to query the database for a column ID. PDO isn't going to parse

How do I escape a literal question mark ('?') in a JDBC prepared statement

不问归期 提交于 2019-12-04 00:58:42
I'd like to create a JDBC PreparedStatement like: SELECT URL,LOCATE ( '?', URL ) pos FROM Links WHERE pageId=? ORDER BY pos ASC Where the 1st ? is a literal and the 2nd ? is a parameter. I could use CHAR(63) in place of the '?' but I think the extra function call would slow down the SQL execution. Is there some way to escape that 1st ? ? Edit: The following code tests dkatzel's assertion that the ? character in a string is not considered a marker: public class Test { public static void main(String[] args) throws SQLException { Connection conn = DriverManager.getConnection("jdbc:h2:mem:test");

What does pre-compiling a JDBC PreparedStatement do?

早过忘川 提交于 2019-12-04 00:32:38
问题 What does "precompiling" a statement do, because I have seen that if I write a prepared statement with a bad SQL syntax that compilation does not report any problem! So if precompiling a prepared statement doesn't check for syntax validity what really does it do? 回答1: Creating a PreparedStatements may or may not involve SQL syntax validation or even DB server roundtrips, that depends entirely on the JDBC driver used. Some drivers will do a roundtrip or validate, others will not. So on some

warning:mysql_fetch_array() expects parameter 1 to be resource, object given

偶尔善良 提交于 2019-12-04 00:28:43
Hey guys, I'm getting the above warning when I try to run this code: $mysqli=new mysqli("localhost", "***", "***","***") or die(mysql_error()); function checklogin($username, $password){ global $mysqli; $result = $mysqli->prepare("SELECT * FROM users WHERE username = ?"); $result->bind_param("s", $username); $result->execute(); if($result != false){ $dbArray=mysql_fetch_array($result); You are mixing mysql and mysqli calls in your code. Use mysqli_fetch_array instead of mysql_fetch_array . You are mixing mysqli and traditional mysql commands. Use $result->fetch_array() . You're using two

update table using dynamic prepared statements

浪子不回头ぞ 提交于 2019-12-03 22:28:55
I'm trying to accomplish dynamic PDO prepared UPDATE statements using a customized array filled with $_POST data. The array structure looks like this: $data = array(); $data[00001] = array("description"=>"item1", "stock"=>"100"); $data[00002] = array("description"=>"item2", "thr_alert"=>"20"); The mysql columns have the same name as the array keys. The 'id' is the main array key (00001, 00002, etc). My first approach was the method described here: php.net pdo execute() foreach($data as $itemId=>$value) { $keys = array_keys($value); $fields = '`'.implode('`, `',$keys).'`'; $placeholder = substr

PHP/PostgreSQL: check if a prepared statement already exists

拟墨画扇 提交于 2019-12-03 21:11:49
问题 I create my prepared statement as: pg_prepare('stm_name', 'SELECT ...'); Today, I had a problem (calling twice a function for mistake) when declaring a prepared statement with the same name twice: Warning: pg_prepare() [function.pg-prepare]: Query failed: ERROR: prepared statement "insert_av" already exists in xxx on line 221 So, as the question title, there is a way to check if a prepare statement with the same label already exists, and in case, overwrite it? I know this error is from my

Passing array parameter in prepare statement - getting “java.sql.SQLFeatureNotSupportedException”

狂风中的少年 提交于 2019-12-03 20:27:44
问题 I am facing error java.sql.SQLFeatureNotSupportedException in my prepare statement. I am using Mysql database. Below is my code. class tmp { public static void main(String arg[]) { try { Class.forName("com.mysql.jdbc.Driver"); Connection conn = DriverManager.getConnection( "jdbc:mysql://localhost/sample", "root", "root"); PreparedStatement pst = conn .prepareStatement("select * from userinfo where firstname in(?)"); String[] Parameter = { "user1", "Administrator" }; Array sqlArray = conn

how to prevent SQL Injection in JSP?

£可爱£侵袭症+ 提交于 2019-12-03 17:48:03
问题 Just last week, I was doing some PHP stuff. I worked a little solution to prevent SQL injections. PHP has been always my man, it has readily 3 solutions for use (maybe more). One is to enable "magic queries" using stripslashes() function. Another one (the recommended) is to use mysql_real_escape_string() function. That simple and my problem is solved. However, things don't seem to be that simple when it comes to JSP. I searched and didn't find any built-in function to strip slashes or do

Why does this MySQLI prepared statement allow SQL injection?

不羁岁月 提交于 2019-12-03 16:10:23
As I was teaching students how to prevent SQL injection today, I was mildly embarrassed. In professional projects I've used prepared statements / parameterized queries as one layer of prevention against SQL injection (although I've never used mySQL professionally). In theory, I thought SQL injection was impossible when using a prepared statement. But then this worked... $Search = $_GET['s']; $stmt = $mysqli->prepare("SELECT * FROM products WHERE id = ?"); $stmt->bind_param("i", $Search); $stmt->execute(); $Results = $stmt->get_result(); If I pass the parameter "?s=1 OR 1=1" then I can get a
订阅 prepared-statement