sql-injection

问题 Except performance issue, is base64_encode() a "good" practice to prevent SQL injection? Of course not for all fields (columns) but just for one TEXT field (Example: in a contact form) We know that characters returned by base64_encode() function are "safe" and not need even escape (correct me if I'm wrong) but I want to know if it's "safe" in every situation (charset encoding, or something similar ). Simple practical example: $dbc = new mysqli( DBHOSTNAME, DBUSERNAME, DBPASSWORD ); $name =

问题 Except performance issue, is base64_encode() a "good" practice to prevent SQL injection? Of course not for all fields (columns) but just for one TEXT field (Example: in a contact form) We know that characters returned by base64_encode() function are "safe" and not need even escape (correct me if I'm wrong) but I want to know if it's "safe" in every situation (charset encoding, or something similar ). Simple practical example: $dbc = new mysqli( DBHOSTNAME, DBUSERNAME, DBPASSWORD ); $name =

问题 In this question and some of the comments, this input: $input = '; DELETE FROM table_name ; #'; was suggested as an example of an SQL injection into this PHP statement: $input = $_POST['input']; 'SELECT '.$input.' FROM table_name' I cut into the chase and used an example in MySQL directly, although I used * in place of #. The result is the same. CREATE TABLE a_table ( id INT NOT NULL); INSERT INTO a_table (id) VALUES (1), (2), (3), (4), (5); SELECT * FROM a_table; SELECT ; DELETE FROM a_table

问题 As it currently stands, this question is not a good fit for our Q&A format. We expect answers to be supported by facts, references, or expertise, but this question will likely solicit debate, arguments, polling, or extended discussion. If you feel that this question can be improved and possibly reopened, visit the help center for guidance. Closed 6 years ago . So far, I'm seeing that both MySQLi and PDO are good methods when connecting to the database. What I need is which method is more

问题 I am having a major problem where I do not know how to prevent SQL injection when writing SQL statements in CLR/C++ Below is the code String^ sqlstr = "SELECT * FROM "; sqlstr += tableName + " WHERE " + field + " = " + fieldEntity; I need to be able to input correct SQL Injection preventions to this statement. Background code class database { protected: string fieldEntity; string tableName; string field; ... ____ OleDbDataReader^ openData(String^ fieldEntity, String^ field, String^ tableName)

问题 I am having a major problem where I do not know how to prevent SQL injection when writing SQL statements in CLR/C++ Below is the code String^ sqlstr = "SELECT * FROM "; sqlstr += tableName + " WHERE " + field + " = " + fieldEntity; I need to be able to input correct SQL Injection preventions to this statement. Background code class database { protected: string fieldEntity; string tableName; string field; ... ____ OleDbDataReader^ openData(String^ fieldEntity, String^ field, String^ tableName)

问题 First: DB::table('someTable') ->selectRaw('count(*), min(some_field) as someMin, max(another_field) as someMax') ->get(); Second: DB::table('someTable')->select( array( DB::raw('min(some_field) as someMin'), DB::raw('max(another_field) as someMax'), DB::raw('COUNT(*) as `count`') ) )->get() The above two query result is same , but my question is there any possible security issues(SQL injections) with these two queries if i use user inputs directly in where conditions. 回答1: As per Laravel's

问题 User equals untrustworthy. Never trust untrustworthy user's input. I get that. However, I am wondering when the best time to sanitize input is. For example, do you blindly store user input and then sanitize it whenever it is accessed/used, or do you sanitize the input immediately and then store this "cleaned" version? Maybe there are also some other approaches I haven't though of in addition to these. I am leaning more towards the first method, because any data that came from user input must

问题 I have created a small survey web page on our company Intranet. This web page is not accessible from the outside. The form is simply a couple of radio buttons and a comments box. I would like to maintain good coding practices and would like to guard against SQL Injections. Can SQL injections happen on a insert statement with comments from the textbox? If so, how can I guard against it using .NET 2.0? 回答1: Injection can happen on any SQL statement not run properly. For example, let's pretend

问题 I have some HANA queries which use PLACEHOLDER input and of course I want to prevent an sql injection. I try to use ? in odbc_prepare() $query = <<<SQL SELECT col, ... FROM table_name('PLACEHOLDER'=('$$some_key$$', ?)) WHERE col = ? SQL; $stmt = \odbc_prepare($conn, $query); if ($stmt !== false) { \odbc_execute($stmt, ['placeholder_value', 'where_value']); } but I receive this warning: Warning: odbc_prepare(): SQL error: [SAP AG][LIBODBCHDB SO][HDBODBC] Syntax error or access violation;257