sql-injection

问题 I want to protect my app from SQL injection. I want to use OleDbParameter in a SQL query for the table name ({1}). The problem is that it doesn't work (error in FROM or something like that). I can pass the OleDbParameter in {3} thought. Example: IDbCommand cmd = m_oConnection.CreateCommand(); cmd.CommandType = CommandType.Text; cmd.CommandText = String.Format("SELECT {0} FROM {1} WHERE {2}={3}", "ParentID", "?", sWhere, "?" ); cmd.Parameters.Add(new OleDbParameter("@sTable", sTable)); cmd

问题 Several times I've found myself refactoring web application code and end up wanting to do something like this (Groovy in this case, but could be anything): Map getData(String relationName, Integer rowId) { def sql = Sql.newInstance([...]) def result = sql.firstRow('SELECT getRelationRow(?,?)', relationName, rowId) sql.close() return new HashMap(result) } where the stored procedure getRelationRow(relname text, rowid integer) executes dynamic sql to retrieve the row of the specified rowid in

问题 Closed . This question is opinion-based. It is not currently accepting answers. Want to improve this question? Update the question so it can be answered with facts and citations by editing this post. Closed 5 years ago . In terms of separation of concerns, I would like to know your opinion about whether the concern of handling SQL Injection Attacks is a concern of System A or System B, let me explain: System A - You where asked to implement an Web Interface, responsible to determine

问题 How to allow only number in input text box <input type="text" name="price" id="input-country" required placeholder="Enter Your Price" accept="number"> i used the above method but its not working when i use only allowed type in image input i use the following method <input type="file" class="custom-file-input" accept="image/x-png, image/gif, image/jpeg"> this method works fine in same way how to allow only number and how to allow only text, and protect form SQL injection 回答1: Click this for

问题 I'm trying to create a dynamic WHERE clause with LINQ. I have a working example but I'm worried that it's not safe from SQL injection. The following LINQ code: var oQuery = _db.People.Where("FirstName.Contains(@0)", "kev"); produces the following SQL: SELECT [Extent1].[FirstName] AS [[FirstName], [Extent1].[LastName] AS [[LastName], WHERE [Extent1].[[FirstName] LIKE '%kev%' This works great, but now I want to use a dynamic column name as well. So I was thinking I would do the following: var

问题 Is the following SQL susceptible to SQL injection via the @SearchWord parameter? I want to use parameters with the FormsOf function, but the only guide to doing so I've found is in this Stack Overflow question: How to pass parameter to FormsOf function in sql server However the solution seems to be to use a bit of dynamic SQL, and I was wondering if that would be susceptible to SQL injection. What would happen in the following example if @searchWord contained a SQL injection type string? Is

问题 I was advised that below query is not safe as parameter :searchFor coming from input field in front end can be used for SQL injection. Plase advise what is the best solution to prevent SQL injection in below code? @Query("SELECT u FROM User u WHERE lower(u.username) LIKE %:searchFor% " + " OR lower(concat(u.firstname, ' ', u.lastname)) LIKE %:searchFor% " + " OR lower(u.email) LIKE %:searchFor%") Page<User> findAllAndSearch(@Param(value = "searchFor") String searchFor, Pageable pageable); I

问题 I have an Access database that must connect to Oracle programmatically to create a linked table. The connection string is of the form: ODBC;Driver={Microsoft ODBC for Oracle};Pwd=<Password>;UID=<User>;Server=<Server> Currently the login info is hardcoded. I now have to have the tool connect to different databases. I was going to simply let the user enter the <User> , <Password> , and <Server> and then just concatenate it all together into a single connection string. I'm pretty sure this is

问题 I got this error on my Cpanel server. It doesn't happen on every update, just some SQL. [Sat Mar 11 03:48:18.409435 2017] [:error] [pid 31376:tid 140202228020992] [client 180.253.119.171] ModSecurity: Access denied with code 500 (phase 2). Pattern match "((alter|create|drop)[[:space:]]+(column|database|procedure|table)|delete[[:space:]]+from|update.+set.+=)" at ARGS:description. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "254"] [id "300015"] [rev "1"] [msg "Generic SQL injection

问题 I am converting my MySQL code over to PDO to take advantage of prepared statements. I was originally getting a fatal error as described in this question. I had solved that issue, but it brought up more problems when trying to add parameters. The code I am trying to get working is: include ("foo/bar.php"); try { $DBH = new PDO("mysql:host=$hostname;dbname=$database", $username, $password); } catch(PDOException $e) { echo $e->getMessage(); } $mydate=date("Y-m-d",strtotime("-3 months")); $foo