sql-injection

问题 I need a linux bash script which send me an email if any results appear in searches made in the apache logs. I have a very simple method (sentence) to look into SQL Injection attacks, which simply searches for some keywords used in SQLi. Is this: #tail -50000 /var/vhosts/site.com/logs/access_log | egrep -i "select%20|union%20|'|1=1" So now I would like to be able to launch it in several access_log (for each website - virtual host I have) and send me an email in case of finding results. In a

问题 If yes, why are there still so many successful SQL injections? Just because some developers are too dumb to use parameterized statements? 回答1: The links that I have posted in my comments to the question explain the problem very well. I've summarised my feelings on why the problem persists, below: Those just starting out may have no awareness of SQL injection. Some are aware of SQL injection, but think that escaping is the (only?) solution. If you do a quick Google search for php mysql query ,

问题 I have a problem doing a parametrized sql query to a OdbcConnection to a odbc driver in C#. The column name and table name will be configurable from a web gui so I want it protected from injections using (OdbcCommand command = connection.CreateCommand()) { command.CommandText = "SELECT ? FROM ?"; command.CommandTimeout = SynchTimeout; command.CommandType = CommandType.Text; command.Parameters.Add(new OdbcParameter(string.Empty, "User")); command.Parameters.Add(new OdbcParameter(string.Empty,

问题 In php, what is the difference and which is better and why, using mysqli. I have a whole project written with real escape string, is it necessary to convert to object oriented prepared statements? 回答1: From the programmers point of view, the difference between escaping the values manually and parameterized/prepared statements as implemented by PDO is the degree of separation, automation, and a shift of responsibility. With *_escape_string the developer has to ensure that all values: are

问题 I use this for validation: class MyValidationForm(forms.Form): title = forms.CharField() body = forms.Textarea() taxonomy = forms.IntegerField() and this is my class-based view: class blog_createpost(dashboardBaseViews): template_name = "dashboardtems/blog_createpost.html" model = {} def post(self, request, *args, **kwargs): form = MyValidationForm(request.POST) if not form.is_valid(): return HttpResponse("not valid") new_data = post(title=request.POST['title'], body=request.POST['body'],

问题 Closed . This question needs details or clarity. It is not currently accepting answers. Want to improve this question? Add details and clarify the problem by editing this post. Closed 3 years ago . Hi I've been repeatedly told not to use concatenation in my sql code for fear of an sql-injection attack . However I've tried to crack my own code with No success . Is out even possible to sql-inject through a window form ? Please find the relevant piece of code below: SqlConnection con = new

问题 From https://en.wikipedia.org/wiki/Code_injection#Preventing_problems To prevent code injection problems, utilize secure input and output handling, such as: Using APIs that, if used properly, are secure against all input characters. Parameterized queries (also known as "Compiled queries", "prepared statements", "bound variables") allows for moving user data out of string to be interpreted. Additionally Criteria API[7] and similar APIs move away from the concept of command strings to be

问题 I have some code like this which is open to SQL injection. We got hacked and now we fixed it. I just want to know what the inputs (username and password) must be in order to hack this code. I mean even if you input username = something' OR 'x'='x Then you can retrieve the password of the first user in the table regardless of the username. However, inside the if we check whether this password is correct. I am assuming the password was very easy (as easy as 123456 ) and the hacker made a brute

问题 I am new to PHP and hope someone can help me with this. I would like to store two values (an email and a password) in a MySQL db using PHP . The input is passed to the PHP page via Ajax in jQuery (through an onclick event on a website). Now I want to protect this PHP query against SQL injection - I am talking about a standard website so I don't want to overdo it but I think some standard protection can't be bad. Below is what I had before just to ensure that the general procedure is working

问题 I'm stuck with an sql injection problem. My page displays the table's data as follows: <input type="checkbox" name="id[]" value="<?php echo $row['id']; ?>" /><?php echo $row['data']; ?><br /> How can I be sure that the submitted value is the id of this specific row an not a random number "injected" in the page? Obviously, I would start checking that the id returns true to is_numeric() / get it through mysql_real_escape_string(). Then, I thought of two options: Adding a hidden input with a