sql-injection

问题 I am referring to this answer of mine to another question, which another user criticized because vulnerable to SQL injection, even if no user input is requested and escape procedure is called. The following code is used to create a .sql dump of an SQLite database, using only PHP code with no call to sqlite3 tool (which was the original request of the author of the question). <?php $db = new SQLite3(dirname(__FILE__)."/your/db.sqlite"); $db->busyTimeout(5000); $sql=""; $tables=$db->query(

问题 I have up to 100 items I would like to insert in one batch operation. I am doing it like this: INSERT INTO MyTable (f1, f2, ..., fk) VALUES (v11, v12, ..., v1k), (v21, v22, ..., v2k), ... (vn1, vn2, ..., vnk) All is fine, but I am building this string by concatenating the values as is, which means my code is vulnerable to SQL injection. How can I continue using the bulk insert syntax on one hand, yet be protected from the SQL injection? EDIT 1 I would like to provide a bit more context. The

问题 i have some php script and i think this have a lot of mistake. because of my limited knowledge in concatenation and SQL injection. At 1st time i'm not have any trouble because this script use PHP-Mysql. But after i try to change into Interbase, i meet a lot of trouble. Please help to identify my fault. this my following query: $sLimit = ""; if ( isset( $_POST['iDisplayStart'] ) ) { $sLimit = " FIRST ".$_POST['iDisplayStart']." SKIP ".$_POST['iDisplayLength']; } $sOrder =""; $sOrder = " ORDER

问题 Is it a good, or stupid idea to sanitize all the data that could be sqlinjected? I wrote a function that should do it, but I've never seen it done and was wondering if it was a poor idea. The function I wrote: function sanitizeData() { $_SERVER['HTTP_USER_AGENT'] = mysql_real_escape_string($_SERVER['HTTP_USER_AGENT']); foreach(array_keys($_COOKIE) as $key) { $_COOKIE[$key] = mysql_real_escape_string($_COOKIE[$key]); } foreach(array_keys($_POST) as $key) { $_POST[$key] = mysql_real_escape

问题 I am using vb.net in Visual Basic 2010 and using Query to edit my Online MySQL Database from the application (WinForms). Here is a sample to insert a new user into the database: MySQLCon.Open() Dim SQLADD As String = "INSERT INTO members(member,gamertag,role) VALUES('" & memberToAdd.Text & "','" & membersGamertag.Text & "','" & membersRole.Text & "')" COMMAND = New MySqlCommand(SQLADD, MySQLCon) READER = COMMAND.ExecuteReader memberToAdd.Text = "" membersGamertag.Text = "" membersRole.Text =

问题 Please read fully first In this answer: How to prevent SQL injection with dynamic tablenames? Pekka points out why this code: $clas=$_POST['clas']; $query="SELECT * FROM $clas "; Cannot be repaired by using a PDO or mysql-real_escape_string() . Can anyone please provide sample code how to fix this so a newbie can paste that code (after/adjusting it to his needs) and be safe from SQL-injection. Please don't explain SQL-injection, I know all about injection and PDO, I just need sample code 回答1:

问题 I have a postgres jsonb query as follows: Blog.where("upload_data @> '[ { \"name\": \"#{name}\" }]'") Which works but breaks build because the excellent brakeman points out the possible sql injection risk. If I use bind variables: Blog.where("upload_data @> '[ { \"name\": ? }]'", name) It creates a sql query like: WHERE upload_data @> '[ { "name": 'name' }]' Note the single quotes - which is an invalid query If I use single quotes I get: WHERE upload_data @> "[ { 'name': 'name' }]" which is

问题 I've found some tutorials on this already, but they aren't exactly what I'm looking for, I can use the following for username fields and password fields Private Sub UsernameTextBox_KeyPress(ByVal sender As Object, ByVal e As System.Windows.Forms.KeyPressEventArgs) Handles UsernameTextBox.KeyPress If Char.IsDigit(e.KeyChar) OrElse Char.IsControl(e.KeyChar) OrElse Char.IsLetter(e.KeyChar) Then e.Handled = False Else e.Handled = True End If End Sub But for an email field how would I go about

问题 I have this function in plpgsql: CREATE OR REPLACE function login_v(em varchar, passwd varchar) RETURNS users AS $$ DECLARE cu users; BEGIN SELECT * into cu FROM users where email = em AND encrypted_password = crypt(passwd, encrypted_password); return cu; END $$ LANGUAGE plpgsql; When I provide an input like this: select login_v('test@test.com'' OR 1=1;--','la la la'); , I think my method should return the user with email test@test.com . What Am I doing wrong? Performing SQL injection is

问题 I am reading this article: https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html I am using JPA with prepared statements (so thats the first point). There is also third point, which is talking about input validation with whitelist. Do I need to take care of input validation when I am using prepared statements? I dont understand that whitelist (point 3). Lets say, I would have an input, where you could write a name of the document. How am I going to validate