sql-injection

问题 I have recently inherited control of a web application (primarily PHP, but also a good chunk of JavaScript) at my workplace. One of my top priorities is to make sure that the application is secure. Unfortunately, database access in the application is currently done through a custom class, not MYSQLi or PDO. It will take me a while before I transition completely to PDO but in the meanwhile, I want to do all I can to make the application as secure as possible. Currently all input is passed

问题 Ok, so I am using ServiceStack OrmLite for my data needs in my Web API. When I submitted my code to VeraCode for code security scanning and verification the result report showed that OrmLite shows potential SQL Injection attack vectors. ServiceStack.OrmLite.dll GridReader DapperMultiple(System.Data.IDbConnection, string, object, System.Data.IDbTransaction,System.Nullable<int>, System.Nullable<System.Data.CommandType>) ServiceStack.OrmLite.dll int ExecuteCommand(System.Data.IDbConnection,

问题 I'm creating a test project for my classmates to show how php code with unchecked variables is dangerous. I'm using the deprecated mysql_* function and a simple database with 2 tables: users data and in the users I have just the admin user. I have created a simple html form: <form action="login" method="POST"> username: <input type="text" name="username"> password: <input type="text" name="password"> <input type="submit" value="login"> </form> and the login.php page simply get the post data

问题 As a prevention against SQL injections, I'm using PDO. I have seen people using both the methods ie: bindValue() and then execute() or just execute(array()) Do both the methods prevent the attack? Since mysql_real_escape_string() is deprecated is there anything else I should consider using here? Like for $aenrollmentno should I typecast into $aenrollmentno = (int)($_POST['aenrollmentno']); Will this be safe enough if I'm not using it in a prepared statement? Any other security measure that I

问题 Recently, my database experienced an attack from mysql injections. I did not know about injections before this incident. However, I have been studying up on what it is and how to prevent it, but I cannot seem to get anything to work for this script when I try to add sql injection protection (it works fine on it's own). How could a pdo script like this add sql injection protection? <?php $username = $_GET["hits"]; $sq = "something"; $pu = $_GET["something"]; $jjj = "something"; $fff =

问题 I have found stripslashes function but I would rather find where I am adding more slashes than I should. My functions use mysql_real_escape_string once for each variable and I am querying database using "insert into foo(bar,bar) values($baz,$baz)" maybe this is the problem. phpinfo gives magic_quotes_gpc On On magic_quotes_runtime Off Off magic_quotes_sybase Off Off static function insert($replyto,$memberid,$postid,$comment) { $message=array(); $lenmax=1000; $lenmin=5; $toolong="comment is

问题 So I have a bit of a problem. On a website I am developing I allow people to type in an address, once they hit a save button the address they type gets stored in my database. I was (mistakenly) under the impression that using parameterized queries would help prevent SQL injection, here is my code once they press "save" SqlConnection Conn = new SqlConnection(@"Data Source=**********;Initial Catalog=********;Persist Security Info=True;User ID=******;Password=*********"); SqlCommand

问题 I have a web application that I am trying to "break".There's a login page that requires username and password input. Let's say I have a table Auser that stores username's info in MySQL. When I hit Login after keying the credentials,it executes this line of code: String sql = "select object(o) from Auser as o where ausername='" + username + "'"; Now, I know not using preparedStatement makes SQL query vulnerable to SQL injection and I want to perform such a stunt. I created a dummy table called

问题 code (newbie): if(isset($_POST['selection'])) { include_once 'pdo_init.php'; $params_str = str_repeat('?,',count($_POST['selection'])); $params_str = substr($params_str,0,-1); $res = $pdo->prepare('DELETE FROM funcionario WHERE codigo in ('.$params_str.')'); if($res->execute($_POST['selection'])) { return json_encode(array( 'success' => 1, 'msg' => 'os registros foram deletados com sucesso!' )); } else { return json_encode(array( 'success' => 0, 'msg' => 'nao admitimos sql-injection aqui seu

问题 Basically I am making a web application and I am going through the security of it to make my app as robust as I can. Once you're logged in to my app I track that user based on session variables. When SQL is performed it takes the users session variable to see who they are for example. $name = $_SESSION['user_name']; A example query would be something like this.. $query1 = "SELECT * FROM tableName WHERE userName = '$name'"; From reading online sites say things like I must not use "user input