sql-injection

Preventing code injection without limiting user input? [closed]

心已入冬 提交于 2019-12-04 06:45:53
问题 Closed . This question needs to be more focused. It is not currently accepting answers. Want to improve this question? Update the question so it focuses on one problem only by editing this post. Closed 5 years ago . Ok, so I am aware of methods of input sanitization/checking such as using a whitelist, blacklist, mysqli_escape (or whatever it is in PHP), but say you have a site where, for some reason, instead of having users upload code (HTML, Javascript, C, etc.) inside of a file, they submit

Can PHP's PDO be limited to a single query?

别等时光非礼了梦想. 提交于 2019-12-04 06:29:06
PHP's PDO allows multiple querys to be executed at once, either via the query() method or as a prepared statement. Both of the following examples work: // Two SQL queries $query = "SELECT * FROM table; DROP table;" // Execute via query() $pdo->query($query); // Execute via prepared statement $stmt = $pdo->prepare($query); $stmt->execute(); Is there any way to limit PDO to a single query at a time, much like the mysql_query() function is? This is a more up-to-date answer to this question. The old way of preventing multi query execution was to disable emulated prepares, however this was only

Is it possible to do sql injection with stored procedures?

余生颓废 提交于 2019-12-04 06:22:32
问题 I saw some similar question, none about mysql... Is there any way to do a sql injection into a SP? How do I protect from this on the SP level? In other words, can the Query strucutre, inside a SP can be modified in any way by an incoming parameter? If I send to a stored procedure the parameter "1;DELETE FROM users;--" and the query is: select * from T where = @p 回答1: SQL injection is, basically, adding extra code to the query. The attack itself occurs because the server parses the input data

in general, in javascript, isn't using innerHTML an [in]security issue?

匆匆过客 提交于 2019-12-04 06:06:06
问题 with the DOM and cool new tools such as reactjs , should innerHTML ever be used in a javascript program? using it is a lot like opening oneself to an SQL injection attack, but here it's a cross-site scripting etc. everything needs to be examined and scrubbed before it's used. seems to me innerHTML has the same security issues as eval() and should be avoided for [in]security reasons. (also aesthetically, but that's just me.) 回答1: Yes, innerHTML is often misused and a very common source of

Avoiding an Sql injection attack

这一生的挚爱 提交于 2019-12-04 05:29:18
问题 I have an asp.net application. In which i have this code: using (Data.connexion) { string queryString = @"select id_user , nom, prenom, mail, login, mdp, last_visite, id_group, id_user_status from USERS where login =@login and mdp=@mdp"; SqlCommand command = new SqlCommand(queryString, Data.connexion); command.Parameters.AddWithValue("@login", _login); command.Parameters.AddWithValue("@mdp", _password.GetHashCode().ToString()); try { SqlDataReader reader = command.ExecuteReader(); do { while

PHP: While loop not working after adjusting SELECT for SQL injection prevention

懵懂的女人 提交于 2019-12-04 05:04:27
问题 I am trying to set up PHP queries for MySQL in a way to prevent SQL injection (standard website). I had a couple of INSERT queries where changing this worked well but on the following SELECT I keep getting an error since the update and it looks like the while loop doesn't work with the changes I made (it works well without using the statement as in the old code). Can someone tell me what I am doing wrong here ? New PHP: $stmt = $conn->prepare("SELECT ? FROM TranslationsMain WHERE location

Improving a function that UPSERTs based on an input array

给你一囗甜甜゛ 提交于 2019-12-04 05:01:52
问题 I am hoping to get some help improving a method for UPSERTing rows passed in as an array. I'm on Postgres 11.4 with deployment on RDS. I'm got a lot of tables to sort out, but am starting with a simple table for experimentation: BEGIN; DROP TABLE IF EXISTS "data"."item" CASCADE; CREATE TABLE IF NOT EXISTS "data"."item" ( "id" uuid NOT NULL DEFAULT NULL, "marked_for_deletion" boolean NOT NULL DEFAULT false, "name_" citext NOT NULL DEFAULT NULL, CONSTRAINT item_id_pkey PRIMARY KEY ("id") );

Prevention of SQL injection with PHP for SQL Server and without PDO [duplicate]

ぐ巨炮叔叔 提交于 2019-12-04 03:46:21
问题 This question already has answers here : How to escape strings in SQL Server using PHP? (14 answers) Closed 6 years ago . I can sanitize and validate my input as much as possible but that definitely doesn't cover everything and if I scrub hard enough, thoroughly enough, I will completely wipe away my input. I realize there are a lot of posts out there about this topic but it seems like they always go back to PDO or Mysql (yes - even if someone posts about SQL Server, half the answers they

sql injection prevention for create method in rails controller

瘦欲@ 提交于 2019-12-04 03:13:18
问题 As seen in comment_controller.rb: def create @comment = Comment.new(params[:comment]) @comment.save end Im assuming that this is SQL injection-unsafe. But what is the correct way of doing it?.. All the examples on the net deal with finds. 回答1: That code is safe from SQL injection attacks. The escaping is done by ActiveRecord, so any time you call a model's find , create , new / save , or any other method that does database interaction, you're OK. The only exception is if you use raw SQL for

Do I need to use (int)$id before I use $id in bindValue in Php PDO

谁说胖子不能爱 提交于 2019-12-04 02:27:28
问题 I just started using Php Data Objects and one thing I'm not sure about is do I have to validate that some variable is an integer before using it in the query. For example, like this: $id = (int)$_POST['id']; // is this required $query = $pdo->prepare("SELECT * FROM `articles` WHERE `id` = ?"); $query->bindValue(1, $id); $query->execute(); 回答1: No it's not required for two reasons: You're letting PDO know that you are going to query the database for a column ID. PDO isn't going to parse
订阅 sql-injection