sql-injection

问题 I'm trying to encrypt three sets of data to insert into MySQL database. However only the first one is working ($email). Firstly I post data from a form, make several checks (does the user exist etc...). At this point I encrypt the email to check with the database (already exists). If the data doesn't already exist, it will encrypt the first names and surnames and insert them into the database. It does encrypt the first name and surname, but not correctly. Only the email encryption works.

问题 Echoing to my previous question about SQL-injection. I'm trying to set up a PDO connection. For that I want to replace my old code with the new: Here is the old $conn = mysql_connect("localhost", "sec", "dubbelgeheim") or die('Error: ' . mysql_error()); mysql_select_db("bookshop"); $SQL = "select * from productcomment where ProductId='" . $input . "'"; $result = mysql_query($SQL) or die('Error: ' . mysql_error()); $row = mysql_fetch_array($result); if ($row['ProductId']) { echo "Product:" .

问题 The best way to avoid SQL injection for defined value type such as numbers, is to validate the value; since it is easier to do so comparing with mysqli preparation. In PHP, we can do this by. 1. if(!is_numeric($value)) {$value=0;} 2. $value=floatval($value); 3. $value=intval($value); 4. $value=$value * 1; What is the most reliable one? or a better idea? UPDATE: Although I have stated in the original question, most of folks emphasized the usefulness of parameterized queries. Definitely, it is

问题 For my login control I'm using parameters in an SQL statement. Trouble is if people use SQLinjection, I'm afraid they'll be able to get in too. I have two textboxes and the values are passed on to an SQL statement, this checks whether the values are found in the DB. Is there a way to make sure this isn't possible? I know in PHP you need to use something infront of the textboxes. Thanks for your time! 回答1: Use parameters in your queries: // C# SqlCommand cmd = new SqlCommand("UPDATE Products

问题 I am having a query something like this. StringBuilder sbQry = new StringBuilder(); sbQry.append("select * from tableName where 1=1"); if(!myCollection.isEmpty()){ sbQry.append(" and ("); for (int i = 0; i < myCollection.size(); i++) { final String module = myCollection.get(i); sbQry.append("column = '" + module + "' or column like 'J_'||'" + module.replaceAll("-", "%") + "'"); if (!(i == (myCollection.size() - 1))) { sbQry.append(" or "); } } sbQry.append(") "); } Here this query sbQry is

问题 I have a url, that when valid would look like this: site.com/page.php?id=12345 I'm trying to understand if we're vunderable to sql injection. In this particular instance, the value should only be a positive integer value, since it's an id number. We do sometimes use other variables that could be a letter, or a string of text, for example, the search results pages. An example of the code used to extract the ID variable is here: $variable = "0"; if (isset($HTTP_GET_VARS["id"])) { $variable =

问题 I want the user to be able to choose what order results are displayed e.g. by age), and I don't want to sort them after getting them from the database. Obviously if the user is able to specify input that affects SQL commands, it needs to be sanitised, and I would normally use parameterisation, but pysqlite seems to ignore parameters for anything except values. Example code is below showing parameterisation not working for ORDER BY , and also a workaround using string formatting, but that is

问题 Anyone know a good lib where i can run the strings before they are inserted, that can strip out sql/javascript code? To be run in jsp pages. Idealy the lib would be: Free Lightweight Easy to use Thanks in advance to the SO community who will happily reply :) 回答1: Apache Commons lang StringEscapeUtils will get you some of the way. It escapes, doesnt strip. http://commons.apache.org/lang/api/org/apache/commons/lang/StringEscapeUtils.html Edit: Escaping can save you from injection attacks

问题 I am using MySQL Connector/Net and I want to write a query against a table whose name will be specified at runtime. This example is off the top of my head (not tested): public class DataAccess { public enum LookupTable { Table1, Table2, Table3 } public int GetLookupTableRowCount(LookupTable table) { string tableName = string.Empty; switch (table) { case LookupTable.Table1: tableName = "table_1"; break; case LookupTable.Table2: tableName = "table_2"; break; case LookupTable.Table3: tableName =

问题 I execute a string query using EF 4: string query = "SELECT * FROM Table WHERE ...."; [+ build WHERE clausule based on the user's input values] db.ExecuteStoreQuery<TAble>(query).ToList(); I'm wondering how to prevent that query from SQL Injection in taht WHERE clausule. Any ideas ? 回答1: You need to use a parameterized query: // Build where clause var filters = new StringBuilder(); var parameters = new List<object>(); if (!string.IsNullOrEmpty(name)) { if (filters.Length > 0) filters.Append("