sql-injection

问题 I'm trying to simply prove here that this simple function isn't good enough to prevent every sql injection in the world: Function CleanForSQL(ByVal input As String) As String Return input.Replace("'", "''") End Function Here is a typical insert statement from one of our apps: Database.DBUpdate("UPDATE tblFilledForms SET Text1 = '" + CleanForSQL(txtNote.Text) + "' WHERE FilledFormID = " + DGVNotes.SelectedRows(0).Cells("FilledFormID").Value.ToString) I know its not secure, because of googling

问题 Sorry for ask here but I cannot found much reference about pymysql's security guide about how do we prevent sql injection, When I do PHP develope I know use mysql preparedstatement(or called Parameterized Query or stmt),but I cannot found reference about this in pymysql simple code use pymysql like sqls="select id from tables where name=%s" attack="jason' and 1=1" cursor.execute(sqls,attack) How do I know this will prevent sql injection attack or not?if prevent succeed,how do pymysql prevent

问题 I am new to ASP.NET and C# programming. I would like to know what is the difference and advantages plus disadvantages of using parameters instead of concatenation in SQL statements, as I heard that it is a better way to prevent SQL injection(?) Below are sample INSERT statements which I have changed from using concatenation to parameters: Concatenation: string sql = string.Format("INSERT INTO [UserData] (Username, Password, ...) VALUES ('" + usernameTB.Text + "', '" + pwTB.Text + "',...);

问题 Trying to get started with JDBC (using Jetty + MySQL). I'm not sure how to escape user-supplied parameters in a SQL statement. Example: String username = getDangerousValueFromUser(); Statement stmt = conn.createStatement(); stmt.execute("some statement where username = '" + username + "'")); How do we escape "username" before use with a statement? 回答1: Use Prepared statement. for example : con.prepareStatement("update Orders set pname = ? where Prod_Id = ?"); pstmt.setInt(2, 100); pstmt

问题 I have a database log appender that inserts a variable number of log lines into the database every once in a while. I'd like to create an SQL statement in a way that prevents SQL injection, but not using server-side prepared statements (because I have a variable number of rows in every select, caching them won't help but might hurt performance here). I also like the convenience of prepared statments, and prefer them to string concatination. Is there something like a 'client side prepared

问题 public static bool TruncateTable(string dbAlias, string tableName) { string sqlStatement = string.Format("TRUNCATE TABLE {0}", tableName); return ExecuteNonQuery(dbAlias, sqlStatement) > 0; } 回答1: The most common recommendation to fight SQL injection is to use an SQL query parameter (several people on this thread have suggested it). This is the wrong answer in this case. You can't use an SQL query parameter for a table name in a DDL statement. SQL query parameters can be used only in place of

问题 I have detected some failed SQL injection attacks on my website. The failed queries are of the form: SELECT 6106 FROM(SELECT COUNT(*),':sjw:1:ukt:1'x FROM information_schema.tables GROUP BY x) The ':sjw:1:ukt:1' part is specially constructed with variables concatenated together to give random 0s or 1s etc. I would like to know what these queries do? The database is MySQL. Update: Here is the original injected SQL: (SELECT 6106 FROM (SELECT COUNT(*), CONCAT( CHAR(58, 115, 106, 119, 58),

问题 This question is to settle an argument between me and a coworker. Let's say we have the following query, executed on a standard LAMP server. SELECT field1, field2, field3 FROM some_table WHERE some_table.field1 = 123 ORDER BY field2 DESC LIMIT 0, 15 Now let's assume the limit clause is vulnerable to SQL injection. LIMIT [insert anything here], [also insert anything here] The point of my coworker is that there is no way to exploit this injection, so there's no need to escape it (since it take

问题 I am using stored procedures. In order to save time, I made some generic procedures that uses dynamic sqlin order to update. Such generic procedure is: CREATE PROCEDURE [dbo].[SetField] @company_id uniqueidentifier, @id bigint, @field_code nvarchar(50), @value nvarchar(50) AS BEGIN DECLARE @field_name nvarchar(50) SET @field_name = NULL SELECT @field_name=field_name FROM dbo.FIELD_DEFINITION WHERE field_code=@field_code IF @field_name IS NOT NULL BEGIN IF @value IS NULL OR @value='' BEGIN SET

问题 I have written this short function to protect against my_sql injection, because of its importance I just want to double check with other's that this will function as I intend. foreach($_REQUEST as $key => $value) { $_REQUEST[$key] = stripslashes($value); $_REQUEST[$key] = mysql_real_escape_string($_REQUEST[$key]); } 回答1: Well, you use stripslashes() because the magic_quotes_gpc is set? So this code will only work when magic_quotes_gpc is set! I'd recommend you switch it off and dont use the