sql-injection

问题 I know about the uses of parameters in sql sentences, But just for curiosity is safe to use the Format function to prevent sql injections instead of use paramters. like this sample sCustomer : string begin AdoSql.CommandText:=Format('Select SUM(value) result from invoices where customer=%s',[QuotedStr(sCustomer)]); end; 回答1: That would probably be secure against SQL injection, assuming QuotedStr works as expected and there are no edge cases that can break it. (Which is by no means guaranteed.

问题 What is the best function to run my strings through to ensure that MySQL injection is impossible? Also, will it require running it through another function on the way out to make it display correctly? See also Are Parameters really enough to prevent Sql injections? C# Parameterized Query MySQL with in clause Can I protect against SQL Injection by escaping single-quote and surrounding user input with single-quotes? 回答1: Parameterized Queries 回答2: A parameter function. Humor aside, I mean don't

问题 We have a method in our database layer which looks like this: public List<String> getNamesFromId(List<Long> idsList){ StringBuilder query = new StringBuilder(); query.append("Select first_name from person where id in ("); for (int pos = 0; pos < idsList.size(); pos++) { query.append("?"); query.append(","); } query.deleteCharAt(query.length() - 1).append(")"); try { conn = establishConnection(); pstmt = conn.prepareStatement(query.toString()); for (int i = 0; i < selections.size(); i++) {

问题 I'm new to web security .After spending time reading some blogs and community sites like SO ,I have found some techniques to be safe from XSS Attack and SQL Injection .But the problem is,most of that security related questions are very old.So,my question is does my following code has any major security holes that can be bypassed by amateur or mid-level attacker(hacker) . Is there anything else I can do to be safe from attack?By the way,I'm using HTMLPurifier to be safe from XSS Attack PHP

问题 I have been using the block of code below to supposedly stop sql injections. It is something someone showed me when I first started php(which was not that long ago) I place it in every page just as shown on the open. I am wondering if it is effective? I do not know how to test for sql injections <?php //Start the session session_start(); //=======================open connection include ('lib/dbconfig.php'); //===============This stops SQL Injection in POST vars foreach ($_POST as $key =>

问题 I'm learning about RoR/databases and this topic particularly confused me. In the book Agile Development with Rails 4 , they give an example of finding a list of all orders with for an entry with name Dave: pos = Order.where("name = 'Dave' and pay_type = 'po") The book goes on to say that you would never want to do something like this: name = params[:name] pos = Order.where("name = '#{name}'and pay_type = 'po'") Instead you should do this: name = params[:name] pos = Order.where(["name = ? and

问题 One thing that's always confused me is input escaping and whether or not you're protected from attacks like SQL injection. Say I have a form which sends data using HTTP POST to a PHP file. I type the following in an input field and submit the form: "Hello", said Jimmy O'Toole. If you print/echo the input on the PHP page that receives this POST data, it comes out as: \"Hello\", said Jimmy O\'Toole. This is the point where it gets confusing. If I put this input string into (My)SQL and execute

问题 I'm quite confused now and would like to know, if you could clear things up for me. After the lateste Anon/Lulsec attacks, i was questioning my php/mysql security. So, i thought, how could I protect both, PHP and Mysql. Question: Could anyone explain me, what's best practice to handle PHP and Mysql when it comes to quotes? Especially in forms, I would need some kind of htmlspecialchars in order to protect the html, correct? Can PHP be exploitet at all with a form? Is there any kind of

问题 I do understand that the prepared statements is the ultimate way to seek protection against the SQL injection. However, they provide coverage in a limited fashion; for example, in cases where I let the user to decide how the order by operation to be ( i.e, is it ASC or DESC? etc ), I get no coverage there with the prepared statements. I understand that I can map the user input to a pre-defined white list for that. But, this is only possible when a whitelist can be created or guessed

问题 We all know that parameterized SQL is the way to go when dealing with user input and dynamic SQL, but is casting from string to int (or double, or long, or whatever) as effective if the input you are seeking is numeric? I guess what I am asking is if this technique alone is infallible in regards to SQL injection? 回答1: I'm no expert, but I'm reasonably sure that this would be safe. But why take the chance? Use parameterised SQL and you don't ever need to worry about it. Besides, parameterising