sql-injection

问题 I am setting up a mysql app. This is my getUsername method connects using standard mysqldb formatting. Does this mean it is a prepared statement? Also, is this code safe, or am I vulnerable to SQL injection? def selectUser(userName): try: username = pickle.loads(base64.decode(userName)) except: username = "admin" query = "SELECT name FROM users WHERE name = '%s'" conn = MySQLdb.connect('localhost', 'dbAdmin', 'lja8j30lJJal##', 'blog'); with conn: c = conn.cursor() c.execute(query, (username,)

问题 I am studying and researching about different methods of SQL Injection and countermeasures. Checking HackerOne Hacktivities showed me that it's not enough for a web application to just use a WAF (ex. Cloudfront, cloudflare, Akamai, ...) is not enough because hackers use and build WAF bypass payloads to overcome these technologies to make the attacks successful . Searched over the internet for Database Firewall keyword but most links were related to Oracle Database firewall . As I am currently

问题 I have a problem where i have a list of dictionaries with for example the following data: columns = [{ 'name': 'column1', 'type': 'varchar' }, { 'name': 'column2', 'type': 'decimal' }, . . . ] From that list i need to dynamically create a CREATE TABLE statement based on each dictionary in the list which contains the name of the column and the type and execute it on a PostgreSQL database using the psycopg2 adapter. I managed to do it with: columns = "(" + ",\n".join(["{} {}".format(col['name']

问题 I'd like to create a dynamic SQL query with c#'s SqlCommand where even the table is a parameter, so as to avoid injection attempts. Like below: comm.CommandText = "SELECT * FROM @tbl WHERE cond=@cond"; comm.Parameters.AddWithValue("tbl","TABLENAME"); comm.Parameters.AddWithValue("cond","CONDITION"); However, I have found that this is not allowed. I've looked into using Dynamic SQL with an execute, but that seems to be only for stored procedures. Can I use Dynamic SQL with an Execute using

问题 I recently came across a windows app which has a really bad practice of having inline SQL scripts. Can it be prone to SQL injection? if yes, are there any tools to discober the vulnerability quicky? 回答1: Yes, windows apps can also be vulnerable to SQL injection attacks. The problem is not the type of application, but inline sql scripts are also not the problem. The problem is when the sql is built dynamically from hard coded strings and user input strings. In fact, even stored procedures

问题 There has been some discussion on this topic (e.g. Preventing SQL injection in Node.js )but really no clear-cut clarity or a deep discussion, let alone good documentation anywhere. The node-mysql docs discuss prevention of SQL injection and some escape functions. However, it is unclear how these functions prevent SQL injection. The manual says "Strings are safely escaped." Nothing more... Is that limited to escaping some characters only? There seem to be other equivalents in node-mysql for

问题 There has been some discussion on this topic (e.g. Preventing SQL injection in Node.js )but really no clear-cut clarity or a deep discussion, let alone good documentation anywhere. The node-mysql docs discuss prevention of SQL injection and some escape functions. However, it is unclear how these functions prevent SQL injection. The manual says "Strings are safely escaped." Nothing more... Is that limited to escaping some characters only? There seem to be other equivalents in node-mysql for

问题 Is there a general way to prevent azure storage injection. If the query contains a user entered string for example his name. Then it is possible to do some injection like: jan + ' or PartitionKey eq 'kees. This will and up getting an object jan and an object with the partitionKey kees. One option is URLEncoding. In this case ' and " are encoded. And the above injection is not possible anymore. Is this the best option or are there better ones? 回答1: Per my experience, I realize that there is

问题 I'd appreciate some feedback on how secure this scheme is against SQL injection attacks. At the front end, the user enters personal information: name, address, phone numbers, email, and some freeform text. The back-end is coded from scratch in C++, with no framework support, and integrates SQLite. The C++ code does not use SQLite prepared statements (for historical reasons, and it's too late to do anything about it). Instead, all SQL statements are constructed as printf-style format strings,

问题 I'm developing a backend to interact with a PostgreSQL database and am looking for some help preventing SQL injection. I understand the concept of SQL injection, and have found some examples online in preventing those attacks, but not sure if prevention techniques differ between SQL providers. This is the function I use to query data: var pg = require("pg"); var client = new pg.Client(connectionString); client.connect(); module.exports = async function newQuery(query) { var result = await