sql-injection

问题 What changes SqlCommand.Parameters.AddWithValue() does with the query? I expect that: It replaces every ' character by '' , If a parameter value is a string or something which must be converted to a string, it surrounds the value by ' , so for example select * from A where B = @hello will give select * from A where B = 'hello world' . If a parameter value is something "safe" like an integer, it is inserted in a query as is, without quotes, so select * from A where B = @one would give select *

问题 How could I select a row of MS SQL server database with Node.JS with preventing SQL injection? I use the express framework and the package mssql. Here is a part of my code I use now with a possibility to SQL injection written in ES 6. const express = require('express'), app = express(), sql = require('mssql'), config = require('./config'); let connect = (f, next) => { sql.connect(config.database.connectionstring).then(f).catch((err) => { next(err); }); }; app.get('/locations/get/:id', (req,

问题 string sqlCmd = @"SELECT r.row_id AS resp_id, r.name AS resp_name FROM srb.s_resp r, srb.s_per_resp pr, srb.s_contact c, srb.s_user u WHERE r.row_id = pr.resp_id AND u.row_id = c.row_id AND c.person_uid = pr.per_id AND UPPER(u.login) = @login ORDER BY r.name"; OracleConnection con = new OracleConnection(getConnectionString(username, password)); OracleCommand command = con.CreateCommand(); conSiebel.Open(); command.CommandType = CommandType.Text; command.Connection = con; command.CommandText =

问题 I'm using a simple cms as backend to my website where I'm able to update news and such. I want to be safe from SQL-injections, so I'm wondering if this code is considered to be safe or if there's something I can do to make it safer: if($_POST) { if(isset($_POST['title']) and (isset($_POST['content']) and ($_POST['added']))) { $title = "'".mysql_real_escape_string($_POST['title'])."'"; $content = "'".mysql_real_escape_string($_POST['content'])."'"; $added = "'".mysql_real_escape_string($_POST[

问题 I'm implementing a bulk delete feature. The application uses PDO, but I haven't figured out a nice way to use prepared statements for this. I have an array of ID's of rows to delete, any length: array(3, 5, 8, [...]) With prepared statements I'd have to create a string of questions marks to use as a placeholder, and then bind the values, looking something like this: $question_marks = array(); foreach($ids) $question_marks[] = '?'; $question_marks = join(', ', $question_marks); $statement =

问题 I have old projects containing a lot of queries which are not using cfqueryparam to prevent SQL injection. Is there any way to use some function to do similar on Application level on each form field? As a beginner with a PHP background, I thought I could loop posted data and do an escape_string() or similar. but I don't want data to be saved in escaped form. I think cfqueryparam doesn't save data in escaped form. (I haven't tried it yet. I'm new at CF.) Otherwise, I have to unescape the data

问题 So if some parts of the code are prone to sql injection, at least the user can't write anything to the database if he happens to be using the front end which does not have universal write access to everything? 回答1: Yes, I would say it's good practice to have users connect using accounts that only allow the least privileges they need to use the site. If your web users should only be reading data from the database then I would definitely create an account that only has read access and have them

问题 function Query() { $args = func_get_args (); if (sizeof ($args) > 0) { $query = $args[0]; for ($i = 1; $i < sizeof ($args); $i++) $query = preg_replace ("/\?/", "'" . mysql_real_escape_string ($args[$i]) . "'", $query, 1); } else { return FALSE; } I have a function like this. Basically, I make a query like this: $this->Query('SELECT * FROM USERS WHERE Username = ? AND Points < ?', $username, $points); It currently supports deprecated mysql functions, but adapting to mysqli will be as easy as

问题 I'm using MSSQL Server 2012. The websites connected to this database is developed by ASP.NET C# 2012. Recently my database been hacked or injected by spam links, and they all start the same <div style="display:none"> ..... with some help I made a function that cleans the updated fields, but the problem is after few days the same thing happened again! I can keep cleaning the database, but I'm trying to find an ultimate solution to prevent this from happening for good.. any ideas? Note: I

问题 These functions give access to specialty functions (SqlClient) in SQL. For example 'like' or 'between'. And they also give a nicer common abstraction layer for them. Not to be confused with stored procedure(s) "functions" which is the topic of this other question. My question that I can't seem to find a full answer for is. Are they safe to use, or am I opening the system to a SQL injection attack? I always use bound variables when writing regular SqlCommands. But in moving to Entity Framework