sql-injection

问题 I am used to developing in PHP/MySQL and have no experience developing with SQL Server. I've skimmed over the PHP MSSQL documentation and it looks similar to MySQLi in some of the methods I read about. For example, with MySQL I utilize the function mysql_real_excape_string(). Is there a similar function with PHP/SQL Server? What steps do I need to take in order to protect against SQL injection with SQL Server? What are the differences between SQL Server and MySQL pertaining to SQL injection

问题 Web applications on uncompromised computers are vulnerable to XSS,CRSF,sql injection attacks and cookie stealing in unsecure wifi environments. To prevent those security issues there are the folowing remedies sql injection: a good datamapper(like linq-to-sql) does not have the risk of sql injection (am i naïeve to believe this?) CSRF: Every form-post is verified with the <%:Html.AntiForgeryToken() %> (this is a token in a asp.net mvc environment that is stored in a cookie and verified on the

问题 I'm writing a java class which would be invoked by a servlet filter and which checks for injection attack attempts and XSS for a java web application based on Struts. The InjectionAttackChecker class uses regex & java.util.regex.Pattern class to validate the input against the patterns specified in regex. With that said, I have following questions: What all special characters and character patterns (for example <>, . , --, <=, ==,>=) should be blocked so that injection attack could be

问题 I'm writing a java class which would be invoked by a servlet filter and which checks for injection attack attempts and XSS for a java web application based on Struts. The InjectionAttackChecker class uses regex & java.util.regex.Pattern class to validate the input against the patterns specified in regex. With that said, I have following questions: What all special characters and character patterns (for example <>, . , --, <=, ==,>=) should be blocked so that injection attack could be

问题 I been reading a bit about SQL injection and I want to be sure my code is lets say "safe" from it, I was planning on using RegExp validators to check the user input but another post in here suggested only using parametrized querys, well I'm using them but I want to be sure my code is safe, is it? using ( SqlConnection dataConnection = new SqlConnection(myConnectionString) ) { using ( SqlCommand dataCommand = dataConnection.CreateCommand() ) { dataCommand.CommandText = "INSERT INTO Lines (Name

问题 When reading about SQL Injection and XSS i was wondering if you guys have a single string that could be used to identify those vulnerabilities and others. A string that could be thrown into a website database to black box check if that field is safe or not. (going to do a large test on a few inhouse tools) Rough example, wondering if you guys know of more? "a' or '1'='1" "center'> < script>alert('test')< /script>" EDIT: Found a nice XSS question on SO 回答1: I've found some nice firefox addons

问题 The Injection Procedures are : SELECT UserId, Name, Password FROM Users WHERE UserId = 105 or 1=1; But, My Question Is how the injection query is working in the sql? 回答1: its when you have your query as string in your code, something like this Query = "SELECT UserId, Name, Password FROM Users WHERE UserId = '" + sUserID + "'" So you pass sUserID = "ABC' OR 1=1;" this will be translated like SELECT UserId, Name, Password FROM Users WHERE UserId = 'ABC' OR 1=1 回答2: Since the condition 1=1 is

问题 I read so many articles saying that using prepared statements is very secure and good to prevent SQL injections. I built a few websites without using prepared statements. But after read all those articles, I am thinking to change whole codes using prepared statements. My Question Is it necessary to use prepared statements always? or is there any scenario whereby normal statement will be sufficient over prepared statements? 回答1: Non-prepared statements are sufficient if you have an SQL query

问题 Hi I was wondering if anyone knew of some good websites detailing prevention for SQL injection for .NET web applications. Any resources would be greatly appricated, thank you. 回答1: I think that, if you google a bit on 'preventing sql injection in .NET', you'll find lots of good resources. :) Anyway, one very important thing, is to not use string-concatenation in order to build your queries. Instead, use parametrized queries. ADO.NET allows to do this, in a very easy way: string sql = "SELECT

问题 I have pages that only display data from DB tables, the php pages only display the information they don't have any buttons, links, drop down menus, or forms. Im using the old mysql and not the mysqli or PDO for syntax Can I still get a SQl injection hack? 回答1: In order for SQL Injection to work, they need a way to send SQL Code to your server, as there is no input, it is in theory impossible for them to Inject SQL. (Although I am not an expert in the subject) I would still recommend you to