sql-injection

问题 In CodeIgniter, how can I avoid sql injection? Is there any method to set in config file to avoid sql injection? I am using this code for selecting values: $this->db->query("SELECT * FROM tablename WHERE var='$val1'"); and this for inserting values: $this->db->query("INSERT INTO tablename (`var1`,`var2`) VALUES ('$val1','$val2')"); Another method used to insert and select values from the database is CodeIgniter's insert() and get() methods. Is any chance to sql injection while using

问题 This is my code: $email= mysqli_real_escape_string($db_con,$_POST['email']); $psw= mysqli_real_escape_string($db_con,$_POST['psw']); $query = "INSERT INTO `users` (`email`,`psw`) VALUES ('".$email."','".$psw."')"; Could someone tell me if it is secure or if it is vulnerable to the SQL Injection attack or other SQL attacks ? 回答1: Could someone tell me if it is secure or if it is vulnerable to the SQL Injection attack or other SQL attacks ? As uri2x says, see SQL injection that gets around

问题 I'm aware that SQL injection is rather dangerous. Now in my C# code I compose parameterized queries with SqlCommand class: SqlCommand command = ...; command.CommandText = "SELECT * FROM Jobs WHERE JobId = @JobId;"; command.Parameters.Add("@JobId", SqlDbType.UniqueIdentifier ).Value = actualGuid; command.ExecuteNonQuery(); Will this automatically make my code immune to SQL injection? Do I have to do something extra? 回答1: I'd say for your particular, and probably canonical, example for

问题 I have some queries (to an acccess database) like this : string comando = "SELECT * FROM ANAGRAFICA WHERE E_MAIL='" + user + "' AND PASSWORD_AZIENDA='" + password + "'"; and I'd like to "escape" user and password, preventing an injection. How can I do it with C# and .NET 3.5? I'm searching somethings like mysql_escape_string on PHP... 回答1: You need to use parameters. Well dont have to but would be preferable. SqlParameter[] myparm = new SqlParameter[2]; myparm[0] = new SqlParameter("@User"

问题 We are having another discussion here at work about using parametrized sql queries in our code. We have two sides in the discussion: Me and some others that say we should always use parameters to safeguard against sql injections and the other guys that don't think it is necessary. Instead they want to replace single apostrophes with two apostrophes in all strings to avoid sql injections. Our databases are all running Sql Server 2005 or 2008 and our code base is running on .NET framework 2.0.

问题 I have seen a few people on here state that concatenating queries using mysql_real_escape_string will not protect you (entirely) from SQL injection attacks. However, I am yet to see an example of input that illustrates an attack that mysql_real_escape_string would not protect you from. The majority of examples forget that mysql_query is limited to one query and use mysql_real_escape_string incorrectly. The only example I can think of is the following: mysql_query('DELETE FROM users WHERE user

问题 I just inherited a project because the last developer left. The project is built off of Code Igniter. I've never worked with Code Igniter before. I took a quick look at the code and I see database calls in the controller like this: $dbResult = $this->db->query("SELECT * FROM users WHERE username = '".$_POST['user_name']."'"); or calls like this: $dbResult = $this->db->query("SELECT * FROM users WHERE username = '".$this->input->post('username')."'"); Does code igniter automatically sanitize

问题 I am working on a form with the possiblity for the user to use illegal/special characters in the string that is to be submitted to the database. I want to escape/negate these characters in the string and have been using htmlspecialchars(). However, is there is a better/faster method? 回答1: If you submit this data to the database, please take a look at the escape functions for your database. That is, for MySQL there is mysql_real_escape_string. These escape functions take care of any characters

问题 As it currently stands, this question is not a good fit for our Q&A format. We expect answers to be supported by facts, references, or expertise, but this question will likely solicit debate, arguments, polling, or extended discussion. If you feel that this question can be improved and possibly reopened, visit the help center for guidance. Closed 6 years ago . I know that PDO prepared statements should be used to avoid SQL injection. Must it always have this format: $stmt = $db->prepare(

问题 How can I allow special characters like " ' \ / : ; etc without open up for SQL injection using the code below: $opendb = mysql_connect($dbhost, $dbuser, $dbpass); mysql_select_db($dbname); $text = $_POST['text']; mysql_query("UPDATE table SET text='" . $text . "' WHERE id='" . $_GET['id'] . "'"); mysql_close($opendb); $text contains a sentence from a HTML textarea. When I tries to enter text in a quote it just insert the text before the quotes. 回答1: Prepared statement This would be the