sql-injection

I am using asp.net mvc 3 with WCF with EF 4.1 With Sql Azure. I am building the search engine for my application. and using the dynamic Linq to build queries. I want to avoid the sql injetion in this scenario. what is the best practice for the same ? what are the precaoution i should take in this scenario ? As long as your are building your queries through LINQ, then you are not vulnerable to SQL injection. While this doesn't mean that your code is invulnerable to ALL sorts of attacks (brute forcing passwords, etc.), you won't be vulnerable to SQL injection. Dynamic LINQ automatically protects

function Query() { $args = func_get_args (); if (sizeof ($args) > 0) { $query = $args[0]; for ($i = 1; $i < sizeof ($args); $i++) $query = preg_replace ("/\?/", "'" . mysql_real_escape_string ($args[$i]) . "'", $query, 1); } else { return FALSE; } I have a function like this. Basically, I make a query like this: $this->Query('SELECT * FROM USERS WHERE Username = ? AND Points < ?', $username, $points); It currently supports deprecated mysql functions, but adapting to mysqli will be as easy as replacing mysql with mysqli in my class. Is this a safe approach to rely on against SQL Injection

I have a web application with lots of data, and a search/filter function with several fields, such as name, status, date, and so on. I have been using parameterized queries like this for the regular (non-search) queries: $id = $_POST['itemID']; $db = mysqli_connect($host, $username, $password, $database); $sql_query = "SELECT * FROM tbl_data WHERE ID = ?"; $stmt_query = mysqli_prepare($db, $sql_query); mysqli_stmt_bind_params($stmt_query, "i", $id); mysqli_stmt_execute($stmt_query); //and so on.. How would I protect agains SQL-injection with multiple, optional parameters? There can be up to 10

I know there have been a lot of questions asked already about this topic. And I also know that the way to go are prepared statements. However I have still not completely understood if or how the following could become a security problem: $mysqli = new mysqli("localhost", "root", "", "myDatabase"); $mysqli->set_charset("utf8"); $pw = mysqli_real_escape_string($mysqli,$_POST['pw']); $username = mysqli_real_escape_string($mysqli,$_POST['username']); $str = "SELECT * FROM users WHERE id='".$id."' AND username='".$username."'"; $result = $this -> mysqli -> query($qstr); if($result->num_rows > 0){ /

I'm very new to erlang and I need to code something which inserts rows in a MySQL Database. How can I prevent SQL Injections with Erlang? Is there also something like prepared statements in other Languages or how should I do it? Thanks for your replies. This answer depends on the driver you are using. Erlang ODBC has a function param_query that binds a set of parameters to the query and it might also escape all the SQL special characters. erlang-mysql-driver has prepared statements: %% Register a prepared statement mysql:prepare(update_developer_country, <<"UPDATE developer SET country=? where

I'm working at a company where the person responsible for the database module is strictly against using prepared statements. I'm worrying that his implementation is not secure. Here is the code we are currently using to make a SQL query (Java 8 Application with JDBC/MySQL 5.5): String value = "Raw user input over HTTP-Form"; String sql = "SELECT * FROM db1.articles WHERE title like '" + replaceSingleQuotes(value) + "'"; executeSQL(sql); public static String replaceSingleQuotes(String value) { value = value.replaceAll("\\\\", "\\\\\\\\"); return value.replaceAll("'", "\\\\'"); } I was not able