sql-injection

问题 This question already has answers here : How can I prevent SQL injection in PHP? (28 answers) Closed 5 years ago . I am forced to generate dynamic SQL. I realize it greatly complicates matters to do so, and the below example is silly and obviously does not require dynamic SQL, and is just used to illustrate this question. Escaping user provided data is not enough, and the 3rd query in the below script is suspect to SQL Injection. I have found that it is generally easiest to design the

问题 I am trying to create an SQL statement using user-supplied data. I use code similar to this in C#: var sql = "INSERT INTO myTable (myField1, myField2) " + "VALUES ('" + someVariable + "', '" + someTextBox.Text + "');"; var cmd = new SqlCommand(sql, myDbConnection); cmd.ExecuteNonQuery(); and this in VB.NET: Dim sql = "INSERT INTO myTable (myField1, myField2) " & "VALUES ('" & someVariable & "', '" & someTextBox.Text & "');" Dim cmd As New SqlCommand(sql, myDbConnection) cmd.ExecuteNonQuery()

问题 This related question asks about using a parameterized query when using the commandline mysql tool in bash. However, it seems that the top answer is still vulnerable to injection (eg ; DROP TABLE user; -- ). While the answer certainly does address the question of how to pass in variables at all , it does not address the question of how to do it using parameterized queries . My question: Does the linked accepted answer in the linked question provide protection against SQL injection, and have

问题 I am in search of a function that will secure All DB queries from MOST of the common threats and attacks. its like combining the classes of CI and Zend with putting custom code to have a fully customized security function. 来源： https://stackoverflow.com/questions/7753982/sql-injection-and-xss-protection-in-php-combining-code-ignitors-xss-clean-and

问题 I want to know if there is a possibility to inject sql query into procedure argument. I have particular case: ALTER PROCEDURE [Test].[Injection] @Query varchar(250) = null AS SET NOCOUNT ON SET @Query = REPLACE(@Query,'','') COLLATE Latin1_General_CI_AI ... more sql code SELECT * FROM Customers WHERE (@Query IS NULL OR (Name COLLATE Latin1_General_CI_AI like '%'+@Query+'%')) ORDER BY ExternalCode ASC I want to inject sql query using @Query variable and possibly comment the rest of the code.

问题 I've done some searching around but I have a specific question on SQL Injection and hope I can get some input as I believe I may be getting the wrong end of the stick to do with field data sanitising etc :- I have a java program calling a stored procedure on an iSeries. The stored procedure has CL / RPG code behind the scenes. The stored procedure is called by way of parameters with the data coming from a web page. For example the call would look like the following:- call library.prog(

问题 From a great reply: in PostgreSQL, CREATE FUNCTION is indeed a "SQL statement" but is is merely a "wrapper" to specify a block of code that is executed by something different than the SQL query "engine". Postgres (unlike other DBMS) supports multiple "runtime engines" that can execute the block of code that was passed to the "CREATE FUNCTION" statement - one artifact of that is that the code is actually a string so CREATE FUNCTION only sees a string, nothing else. What are the consequences of

问题 I am using a MS Access form with the below vba code for my startup page where the user enters a username and password where if its ok, he is forwarded to a dashboard page with relevant content. I was checking to see if the code is SQL Injection proof, and to my horror, it proceeded to log in without a single problem! Could anyone please assist me harden the code to prevent a sql injection attack? If (Me.UserNameTextBox <> "" And Me.passwordtextbox <> "") Then hook = """" SQLCheckUser = ""

问题 Is createNativeQuery() safe against SQL injection if used as in: @ManagedBean @ViewScoped public class UserController { @PersistenceContext private EntityManager em; public User register(User u) { Query query = em.createNativeQuery("SELECT r1_register(?,?,?,?,?,?,?)"); short i = 0; query.setParameter(++i, u.getUsername()); query.setParameter(++i, u.getPassword()); query.setParameter(++i, u.getName()); query.setParameter(++i, u.getSurname()); query.setParameter(++i, u.getEmail()); query

问题 I am designing a site for a network security class that is intended to be vulnerable to SQL injection. My query is with php and looks like this $sql = "SELECT * FROM blogposts WHERE name= '" . $_POST["blogname"] . "'"; It is querying a post from the table blogposts. I am using mysql_fetch_array to print it so it should still print out results regardless of the column name. However, in my database I have another table called users that has usernames and passwords. That I would like the query