sql-injection

问题 How do I prevent SQL injection when it comes to ColdFusion? I'm quite new to the language/framework. Here is my example query. <cfquery name="rsRecord" datasource="DataSource"> SELECT * FROM Table WHERE id = #url.id# </cfquery> I see passing in url.id as a risk. 回答1: Use a <cfqueryparam> tag for your id: http://www.adobe.com/livedocs/coldfusion/6.1/htmldocs/tags-b20.htm <cfquery name="rsRecord" datasource="DataSource"> SELECT * FROM Table WHERE id = <cfqueryparam value = "#url.id#" CFSQLType

问题 This question gets asked a lot, but I still haven't found a straight answer on stackoverflow. Are these two functions sufficient or not? There are a lot of contradictory comments around the internet "yes its fine?, "no, never use it". Others say, use PDO, which I don't understand. I'm just a beginner to PHP, so I don't fully understand all of the ins and outs of security. I've tried reading and understanding the following, but many don't make much sense to me. http://ha.ckers.org/xss.html Do

问题 I'm trying to insert the visitor's inputs into a database. This works, but - is this good enough to prevent sql injection ? <?php $db_host = "localhost"; $db_name = "db_qadenza"; $db_user = "root"; $odb = new PDO ("mysql:host=" . $db_host . ";dbname=" . $db_name, $db_user); if(isset($_POST['Submit'])) { $user = $_POST['user']; $pass = $_POST['pass']; $mail = $_POST['mail']; $confirm_key=md5(uniqid(rand())); $q = "INSERT INTO members (user, pass, mail, confirm_key) VALUES(:user, :pass, :mail,

问题 I'm new to developing things on the web. So far, I'm spending a lot of time (50% or so) to try and prevent bad people from putting things like sql injection into my input forms and validating it server side. Is this normal? 回答1: @Jeremy - some PHP specifics When it comes to database queries, always try and use prepared parameterised queries. The mysqli and PDO libraries support this. This is infinitely safer than using escaping functions such as mysql_real_escape_string. Yes, mysql_real

问题 I have read that to prevent SQL Injection one must use PreparedStatement. Does that mean if i am using perparedStatement then no one can perform SQL Injection in any of my page? Is it foolproof against SQL Injection? If not then please give some example to demonstrate this. 回答1: As long as you're actually using the parameter substitution feature of the prepared statement (it's possible to misuse them and not use that feature), and provided there isn't a bug in the prepared statement library

问题 Since there are so many valid characters for email addresses, are there any valid email addresses that can in themselves be XSS attacks or SQL injections? I couldn't find any information on this on the web. The local-part of the e-mail address may use any of these ASCII characters: Uppercase and lowercase English letters (a–z, A–Z) Digits 0 to 9 Characters ! # $ % & ' * + - / = ? ^ _ ` { | } ~ Character . (dot, period, full stop) provided that it is not the last character, and provided also

问题 So, members of my website can post topics, replies, comments, edit them and so on. I always use htmlspecialchars and addslashes for html inputs to protect my site against XSS and SQL injection attacks. Is it enough or is there something more I miss? Thanks. 回答1: There is a lot that can go wrong with a web application. Other than XSS and SQLi, there is: CSRF - Cross Site Request Forgery LFI/RFI - Local File Include/Remote File Include caused by include() , require() ... CRLF injection in mail(

问题 Can someone explain if not including the cfsqltype for cfqueryparam is still useful for SQL injection protection? And also what actually happens with cfqueryparam with the cfsqltype and w/o cfsqltype. <!--- without cfsqltype---> <cfqueryparam value="#someValue#"> <!--- with cfsqltype---> <cfqueryparam value="#someValue#" cfsqltype="cf_sql_char"> 回答1: To get a good idea of what cfsqltype is likley doing under the hood take a look at the Java / JDBC PreparedStatement class: http://download

问题 I can get the result I expect by entering this in LINQPad: SELECT * FROM WorkTable WHERE WTName LIKE "DSD__20090410014953000%" (it shows me the record which has a WTName value of DSD__20090410014953000.xml") But trying to do this programmatically is proving trying. I tried: const string qry = "SELECT SiteNum FROM WorkTable WHERE WTName LIKE @wtName%"; using (SQLiteConnection con = new SQLiteConnection(HHSUtils.GetDBConnection())) { con.Open(); SQLiteCommand cmd = new SQLiteCommand(qry, con);

问题 I am wondering how Spring MVC handles SQL injections (and other security issues: XSS, code [javascript] injection, etc). I'm talking mostly about escaping the values that are added to DBs and such. I can't seem to find any answer because every time I search for spring sql injection results that involve dependency injection arise. My flow is as follows: from the client browser I make a request consisting of an JSON with some query parameters (not the SQL statement, that would be too stupid -