sql-injection

问题 I had this discussion with a high reputation PHP guy: PDO has no use here. as well as mysql_real_escape_string. extremely poor quality. This of course is cool, but I honestly don't know what's wrong with suggesting use of mysql_real_escape_string or PDO to fix this code: <script type="text/javascript"> var layer; window.location.href = "example3.php?layer="+ layer; <?php //Make a MySQL connection $query = "SELECT Category, COUNT(BUSNAME) FROM ".$_GET['layer']." GROUP BY Category"; $result =

问题 Let's say I had something like the following: function return_some_info($db, $id){ if (! preg_match("/^\d{5}$/",$id)) { header("Location: safepage.php"); exit; } $query="SELECT `column1`, `columns2` FROM `table` WHERE `columnId`=:id ORDER BY `column1` ASC"; $query_params = array( ':id' => $id ); $stmt = $db->prepare($query); $stmt->execute($query_params); while ($row = $stmt->fetch(PDO::FETCH_ASSOC)) { $infoArr[]=$row; }; return $infoArr; } And let's say $id is a dynamic variable that could

问题 I have a Single Page Application in which the browser does all the logic work. Except for initial loading, the server is pretty much a fancy interface to the database. The browser sends data dictionary keys, column name / value pairs, and where clauses for SELECT, for example. The server assembles the parts into SQL, executes the queries, and replies. NEW: In a SELECT, for example, the table name and columns pulled are from the data dictionary - the browser supplies the data dictionary key

问题 Hacker reached my database User list and other tables. First of all, I use parameterized command in all of the transactions by using command.Parameters.Add("@Parameter1", SqlDbType.NVarChar).Value All transactions are stored procedures. I am inserting every single site navigation into database. Particular database table as follows; ID int (PK) UserID int (null) URL nvarchar(500) IPAddress nvarchar(25) CreatedAt datetime Project gets UserID information from the code is session opened or not.

问题 How can I escape a value for usage in a query to MSSQL Server? I know how it would be possible using JDBC but since I'm using SAP Business One DI API there is no way (I'm aware of) of using prepared statements. It would be sufficient to know how to escape string values while additionally knowing how to escape identifiers would be nice, too. Update : After reading New SQL Truncation Attacks And How To Avoid Them it seems sufficient to escape identifiers using [ (and doubling each occurrence of

问题 The database that I am connecting to has a table with a Full Text Search index. This works correctly. select * from MyTable where contains(*, 'value') In WPF if I send that exact command down it works. However value is not hard coded it is something an user types in so it needs to be protected for SQL injection. The issue is that in doing so it does not return results. Here is my code; DataTable dt = new DataTable(); string ConString = "Data Source=127.0.0.1,1433;Initial Catalog=MyDB;User Id

问题 From the OWASP page on Preventing SQL Injection in Java: Variables passed as arguments to prepared statements will automatically be escaped by the JDBC driver. I understand how prepared statements seperate user input to be handled as parameter content and not as part of SQL command. But I stumbled across the quoted sentence above and I am wondering what’s all the escaping about. How does that help prevent the injection attack? 回答1: Suppose your statement is "select * from foo where name = '"

问题 I have a quick question about the ASP.NET Login control. I understand that it protects from SQL Injection, but I was wondering if it also protects when I use the "Authenticate" Sub (for a custom authenticate method)? Can I go ahead and use 'username' and 'password' in an SQL statement without coding them as parameters? Cheers. 回答1: SELECT * FROM aspnet_Membership AS A INNER JOIN aspnet_Users AS B ON A.UserId = B.UserId WHERE B.UserName = '" & Login1.UserName & "' AND A.Password = '" & Login1

问题 I have a a page that appends different parameters to the URL that are used for the query. For example http://www.example.com/search.php?category=Schools&country[]=Belgium&country[]=Czech+Republic My code is like this if(isset($_GET['country'])){ $cties = "'" . implode("','", $_GET['country']) . "'"; } else { $cties = "'Albania','Andorra','Austria','Belarus','Belgium','Bosnia & Herzegovina','Bulgaria','Croatia','Czech Republic','Denmark','Estonia','Faroe Islands','Finland','France','Germany',

问题 I just had a friend of mine look over some code I'm using to get data from my database, and he tells me it's very unsecure and that SQL injection is serious shit. Here's the code I'm using now: $id = $_GET['id']; $result = mysql_query("SELECT * FROM news WHERE id = $id") or die("err0r"); He tells me that the solution is to change that code into: $id = intval($_GET['id']); $result = mysql_query("SELECT * FROM news WHERE id = $id") or die("err0r"); My code somehow (according to my friend) makes