sql-injection

问题 I have read that ORM's should minimise the possibilities of SQL injection attacks. However in Django, sometimes the ORM is somewhat limited, and I need to use raw SQL. What steps should I take to avoid SQL injection attacks? Currently I would know to check for semicolons in the query string, but not much else. If I use parametrised queries, will this solve the problem? Are there any libraries to pass the string to, that will check it for me? 回答1: The documentation states the following: If you

问题 I've got a scope in my model : scope :assigned_to_user, ->(user) { task_table = UserTask.table_name joins("INNER JOIN #{task_table} ON #{task_table}.user_id = #{user.id} AND (#{task_table}.type_id = #{table_name}.type_id) AND (#{task_table}.manager_id = #{table_name}.manager_id) ") } So after running brakeman report I get this warning : assigned_to_user | SQL Injection | Possible So I tried the following : scope :assigned_to_user, ->(user) { task_table = UserTask.table_name joins(ActiveRecord

问题 The Propel ORM documentation mentions a neat import/export feature using functions like fromArray and fromJSON, that should allow something like this: $foo = new Widget(); $foo->fromArray($_POST); $foo->save(); /* Aaand you're done! */ ...but the documentation doens't mention if using fromArray this way is supposed to be safe, i.e. if fromArray can handle untrusted input. My guess would be that it's all right - the default setters are injection-proof, and the whole deal is based on PDO - but

问题 in standard Ajax, where and order by SQL clauses are provided by the program (not user), eg var url = ".select?dd=emp&where="+escape("emp_tp='abc' and hire_dt<current_date-'2 years' and super_emp_id is distinct from emp_id") answered on the server by $where = (isset($_GET['where'])) ? pureClause($_GET['where']) : null; $order = (isset($_GET['order'])) ? pureClause($_GET['order']) : null; ... $query = $query.(($where)?" where $where":'').(($order)?" order by $order":''); the question is what

问题 I'm a big fan of using named parameters instead of string-based parameter injection. It's type-safe and safe against most forms of SQL injection. In old ADO.NET, I would create a SqlCommand object and a bunch of SqlParameters for my query. var sSQL = "select * from Users where Name = @Name"; var cmd = new SqlCommand(conn, sSQL); cmd.Parameters.AddWithValue("@Name", "Bob"); cmd.ExecuteReader(); Now, in Entity Framework, it appears (on this link) to have regressed to a simple String.Format

问题 For the sake of argument, let's just say I have to create a local variable containing a SQL query that has an INSERT: DECLARE @insert NVARCHAR(MAX) SELECT @insert = 'INSERT INTO [dbo].[' + @table + '] VALUES... EXEC (@insert) This INSERT is also going to contain a column value: DECLARE @insert NVARCHAR(MAX) SELECT @insert = 'INSERT INTO [dbo].[' + @table + '] VALUES (N''' + @message + ''')' EXEC (@insert) Now, I'm obviously concerned about an injection attack, and would like to ensure that

问题 I got bitten my first sql escaping error (it was long overdue) when I tried to execute the PostgreSQL query below with a value containing an apostrophe eg. O'Brien , using FreePascal and Lazarus SQL.Add(format('select * from zones where upper(zn_name) >= %s and upper(zn_name) < %s order by zn_name',[sQuote(zoneMin), sQuote(zoneMax)])); In the query above SQuote is a function that wraps a string in single quotes. Is there some standard library for sanitizing SQL query parameters for Lazarus

问题 I've seen a couple of conflicting articles about whether or not L2E is susceptible to SQL injection. From MSDN: Although query composition is possible in LINQ to Entities, it is performed through the object model API. Unlike Entity SQL queries, LINQ to Entities queries are not composed by using string manipulation or concatenation, and they are not susceptible to traditional SQL injection attacks. Does that imply that there are "non-traditional" attacks that may work? This article has one

问题 In our DB access layer we have some dynamic query creation. For instance, we have the following method for building a part of an ORDER BY clause: protected string BuildSortString(string sortColumn, string sortDirection, string defaultColumn) { if (String.IsNullOrEmpty(sortColumn)) { return defaultColumn; } return String.Format("{0} {1}", sortColumn, sortDirection); } The problem is, sortColumn and sortDirection both come from outside as strings, so of course something should be done to

问题 Currently getting more and more into MySQL. It's something i haven't been too fussed about but i want to write some scripts with it now. My question is simple, im making a search script and just want to know if my php code can prevent some SQL injections.. the code: $orig = $_POST['term']; $term = mysql_real_escape_string($orig); $sql = mysql_query("select * from db1 where content like '%$term%' "); Is this ok? Alternatively if anyone has an easier/better/safer way of doing this plese feel