sql-injection

问题 I thought I would get your opinion on an option I thought that would essentially eliminate the possibility of SQL injection (I think). Currently, I have my admin account which obviously gives me full command of the database (alter, drop, etc). I than have an account that PHP uses which only has access to SELECT, UPDATE, DELETE, INSERT. What about setting up a user for each of those actions, and then just referencing the connect ID in the mysql_query statement - now obviously this would put a

问题 I'm implementing a simple search function that should check for a string in either the username, last_name and first_name. I've seen this ActiveRecord method on an old RailsCast: http://railscasts.com/episodes/37-simple-search-form find(:all, :conditions => ['name LIKE ?', "%#{search}%"]) But how do I make it so that it searches for the keyword in name, last_name and first name and returns the record if the one of the fields matched the term? I'm also wondering if the code on the RailsCast is

问题 Someone has hacked my database and has dropped the table. In my PHP page there is one single query where I am using mysql_real_escape_string: $db_host="sql2.netsons.com"; $db_name="xxx"; $username="xxx"; $password="xxx"; $db_con=mysql_connect($db_host,$username,$password); $connection_string=mysql_select_db($db_name); mysql_connect($db_host,$username,$password); mysql_set_charset('utf8',$db_con); $email= mysql_real_escape_string($_POST['email']); $name= mysql_real_escape_string($_POST['name']

问题 Originally I used mysql_connect and mysql_query to do things. Then I learned of SQL injection, so I am trying to learn how to use prepared statements. I understand how the prepare and execute functions of the PDO class are useful to prevent SQL injection. Are prepared statements only necessary when a users input is stored into a database? Would it be okay to still use mysql_num_rows , since I don't really run the risk of being hacked into by using this function? Or is it more secure to use

问题 As a reaction to MySqlParameter as TableName, it seems that MySQL's Connector/NET library doesn't support table names from user input in the following way: MySqlCommand cmd = new MySqlCommand("SELECT * FROM @table"); cmd.Parameters.AddWithValue("@table",TableNameFromUserInput); So I tried to find another way, but I couldn't find any libraries that did this for me. When searching for how to do this manually, I couldn't found anything that didn't tell you to use "prepared statements" from some

问题 I've come os far as to gaining basic understanding of prepared statements and I get that they prevent SQL-injection attacks. But I have yet to understand WHY they protect against said attacks. I know there are similar questions asked but I didn't find the answers entirely satisfying. Example - very unsafe code So here we have the most basic way to communicate with our database: $query = "SELECT * FROM users where id=$username"; Without any protection, a user can input malicious code and thus

问题 I'm trying to understand SQL Injection. It seems like people can get pretty creative. Which gets me wondering about my search-based rails webapp I'm making. Suppose I just fed user-entered information directly into the "where" statement of my SQL query. How much damage could be done to my database by allowing this? def self.search(search) if search includes(:hobbies, :addresses).where(search) else self.all end So basically, whatever the user types into the search bar on the home page gets fed

问题 Is there any method to avoid SQL injection and other security failure in JavaFX desktop application? If yes, how can I do it? 回答1: SQL Injection attacks are related to malicious statements deliberately sent by the end user to the database, while JavaFX is the front-end from a user's point of view. That said, let's assume you have a login screen to input user and password. Could you prevent the user to type one of the following sentences instead of their real user name? DROP TABLE Users; --or

问题 This question already has answers here : Closed 7 years ago . Possible Duplicate: Best way to stop SQL Injection in PHP The ultimate clean/secure function My website was attacked via sql injection and now I need to improve it. I'm creating a function in PHP escape() , that returns the escaped version of a string. I'm not a hacker so please help me to improve my escape function. Here is the current version: function escape($string){ $string = stripslashes($string); $string = mysql_real_escape

问题 I am trying to write a website with Django that could display SQL injection for classroom purposes.However when i try to exploit the query nothing is getting returned. I am using a MYSQL database peopledata = people.objects.raw("select * from people where name = \"%s\" "%input result = list(peopledata) I tried using "; show tables; -- and "; -- , in the input field and nothing showed up. Is there a way to display the exploited data? 回答1: Your input should be any_name OR'x'='x' or any_name OR