sql-injection

问题 Possible Duplicate: SQL injection that gets around mysql_real_escape_string() I havent seen any valuabe or not outdated info on this. So, there is this question: Does mysql_real_escape_string() FULLY protect against SQL injection? Yet it is very outdated(its from '09), so as of php 5.3 and mysql 5.5 in '12, does it protect fully ? 回答1: mysql_real_escape_string ALONE can prevent nothing. Moreover, this function has nothing to do with injections at all. Whenever you need escaping, you need it

问题 I wanted to post this here as it is very much coding related and was something I had to clean up this week on one of my company's old ASP (classic) sites. We got hit with the SQL injection attack that was run just a few days ago, but I'm scratching my head WHAT exactly the 'damage' was to the SQL server (via these SQL queries). To be honest, I thought it was very ingenious the way this was carried out, and its my companies fault for having an old 10 year old site with little to no sanitized

问题 I'm in trouble with a group of hackers. they hacked my client's site few times, and my client gets more angry :( my client lost his database (which has hundreds records), and had to enter all :( now I'm following some more introductions; fixed file permissions changed ftp and host login info cleared all remote mysql accesses now working on SQL Injection issue. I added mysql_real_escape_string to admin panel login paramaters. So where else should I use this mysql_real_escape_string ? I have

问题 For some sql statements I can't use a prepared statment, for instance: SELECT MAX(AGE) FROM ? For instance when I want to vary the table. Is there a utility that sanitizes sql in Java? There is one in ruby. 回答1: Right, prepared statement query parameters can be used only where you would use a single literal value . You can't use a parameter for a table name, a column name, a list of values, or any other SQL syntax. So you have to interpolate your application variable into the SQL string and

问题 I have been spotting the sentence PHP PDO's prepared statements prevents SQL injection . How does php PDO's(PDO's prepared statements) prevent sql injection? What are other pros/cons of using PDO(PDO's prepared statements)? Does using PDO(PDO's prepared statements) reduce efficiency? I have read this: Are PDO prepared statements sufficient to prevent SQL injection? But the data there is not completely clear. 回答1: Well, at second glance your question looks more complex to be answered with just

问题 Some doubts regarding Codeigniter and its Input handling capabilities. Some may be a little weird but they are doubts none-the-less. If I use the Active Record Class functions in CodeIgniter, is my input prevented against SQL injection? I read somewhere that it does, but I don't understand it how? or why? Also does xssclean deal with SQL injection in any way? 回答1: is my input prevented against SQL injection? Not exactly ‘automatically’, but it does provide parameterised queries. CodeIgniter

问题 Is there a Regular Expression that can detect SQL in a string? Does anyone have a sample of something that they have used before to share? 回答1: Don't do it. You're practically guaranteed to fail. Use PreparedStatement (or its equivalent) instead. 回答2: Use stored procedures or prepared statements. How will you detect something like this? BTW do NOT run this: DECLARE%20@S%20VARCHAR(4000);SET%20@S=CAST(0x4445434C415 245204054205641524348415228323535292C40432056415243

问题 I'm developing a website and I'm trying to secure the connection part. I used the addslashes function on $login to stop SQL injection but some friends told me that's not enough security. However, they didn't show me how to exploit this vulnerability. How can I / could you break this code? How can I secure it? <?php if ( isset($_POST) && (!empty($_POST['login'])) && (!empty($_POST['password'])) ) { extract($_POST); $sql = "SELECT pseudo, sex, city, pwd FROM auth WHERE pseudo = '".addslashes(

问题 In PHP Manual, there is a note: Note: If this function is not used to escape data, the query is vulnerable to SQL Injection Attacks. Is this enough to anti sql injection? If not, could you give an example and a good solution to anti sql injection? 回答1: mysql_real_escape_string is usually enough to avoid SQL injection. This does depend on it being bug free though, i.e. there's some small unknown chance it is vulnerable (but this hasn't manifested in the real world yet). A better alternative

问题 In PHP Manual, there is a note: Note: If this function is not used to escape data, the query is vulnerable to SQL Injection Attacks. Is this enough to anti sql injection? If not, could you give an example and a good solution to anti sql injection? 回答1: mysql_real_escape_string is usually enough to avoid SQL injection. This does depend on it being bug free though, i.e. there's some small unknown chance it is vulnerable (but this hasn't manifested in the real world yet). A better alternative