sql-injection

问题 I'm working at a company where the person responsible for the database module is strictly against using prepared statements. I'm worrying that his implementation is not secure. Here is the code we are currently using to make a SQL query (Java 8 Application with JDBC/MySQL 5.5): String value = "Raw user input over HTTP-Form"; String sql = "SELECT * FROM db1.articles WHERE title like '" + replaceSingleQuotes(value) + "'"; executeSQL(sql); public static String replaceSingleQuotes(String value) {

问题 How can i able to update a table in a MySQL database using SQL Injection ? I have heard about how we can enter the query in the address bar and it is possible to update a table in the MySQL database. But I am not sure about it. Kindly give me an idea professionals... 回答1: You may want to try entering Robert'); DROP TABLE students; -- in your form :) In the above xkcd cartoon, Bobby was probably asked to fill in his name in a form, but he mischievously inserted Robert'); DROP TABLE students; -

问题 In a comment on a previous question, someone said that the following sql statement opens me up to sql injection: select ss.*, se.name as engine, ss.last_run_at + interval ss.refresh_frequency day as next_run_at, se.logo_name from searches ss join search_engines se on ss.engine_id = se.id where ss.user_id='.$user_id.' group by ss.id order by ss.project_id, ss.domain, ss.keywords Assuming that the $userid variable is properly escaped, how does this make me vulnerable, and what can I do to fix

问题 I'm doing an audit of a system, which the developers insist is SQL injection proof. This they achieve by stripping out the single-quotes in the login form - but the code behind is not parameterized; it's still using literal SQL like so: username = username.Replace("'", ""); var sql = "select * from user where username = '" + username + "'"; Is this really secure? Is there another way of inserting a single quote, perhaps by using an escape character? The DB in use is Oracle 10g. 回答1: Have a

问题 I am making an windows software in c#. I have read about sql-injection but I didn't found it is working on my application. Do SQL Injection works in winforms? If yes how to prevent them. EDIT: I am using a textboxes for reading user-name and password. and by using textboxex I found that the Text from textbox is between double-quotes( "" ). So I didn't found it to be worked. And when, I use Quotes " OR ' in Textbox, the text is read as \" OR \' Example: ................... USER NAME: | a" OR

问题 I don't have any concept about ZF safety. Do I have to use Filter when operating on database? Maybe binding is enough ? How about this: $users->update($data, 'id=1'); Should $data array be filtered somehow ? Feel free to write anything you know about the issue. Could you give some links to good articles about safety in ZF (mainly about SQL Injection and XSS)? 回答1: Short answer While ZF takes and provides some measures to secure your app, you should still apply the same precautions that you'd

问题 Before anyone jumps to conclusions as to the nature of this question, I already know about parameterized/prepared statements and use them whenever possible. Unfortunately, it is not always possible to use them when building dynamic queries. I'm interested in working with databases other than MySQL, but I can't easily find good sources as to how to escape strings for each database extension to prevent SQL Injection. The PHP docs list the following vendor specific database extensions. I've

问题 I have inherited code that I am fixing security holes up. What's the best practice for handling SQL injections when a stored procedure is called? The code is something like: StringBuilder sql = new StringBuilder(""); sql.Append(string.Format("Sp_MyStoredProc '{0}', {1}, {2}", sessionid, myVar, "0")); using (SqlConnection cn = new SqlConnection(ConfigurationManager.ConnectionStrings["Main"].ToString())) { cn.Open(); using (SqlCommand command = new SqlCommand(sql.ToString(), cn)) { command

问题 I am using ASP Classic and SQL Server 2000 to create dynamic websites. I am a bit confused about when to use a recordset object and when to use a command object when querying the database. I was told that if the stored procedure would be returning records from a SELCT statement then I should use a recordset, however if I am up updating or inserting then I should use a command object and pass all data as parameters to the stored procedure. When using a recordset I often pass any required data

问题 What is the best way to escape strings for sql inserts, updates? I want to allow special characters including ' and ". Is the best way to search and replace each string before I use it in an insert statement? Thanks Duplicate of: Best way to defend against mysql injection and cross site scripting 回答1: You should be using parameterized queries (so by extension, a DB interface library that supports parameterized queries) so that SQL injection can't happen. 回答2: If you're talking about data