sql-injection

php - How to parametrize SQL query with multiple WHERE conditions (prepared statement)?

我与影子孤独终老i 提交于 2019-12-02 21:15:36
问题 I have multiple conditions in WHERE clause which are inputted by user (call them filters ). Currently I am processing them this way (don't worry it isn't deployed): //$by_nickname etc. are filters from $_GET $conditions = array(); if($by_nickname !="") { $conditions[] = " players.lastName LIKE ('%" . $by_nickname . "%')"; } if($by_steamid !="") { $conditions[] = " ids.uniqueId = '$by_steamid'"; } if($by_ip !="") { $conditions[] = " players.lastAddress = '$by_ip'"; } if($by_msg !="") {

how to prevent sql injection from this query?

ε祈祈猫儿з 提交于 2019-12-02 18:56:23
问题 I am using Yii 1, I want to build the following query: $a = Model::model()->findAllBySql( 'SELECT * FROM table WHERE name like "%'.$_GET['name'].'%"' ); To prevent the sql injection I wrote it as follow: $a = Model::model()->findAllBySql( 'SELECT * FROM table WHERE name like "%:name%"', array("name"=>$_GET['name']) ); but it returned no data. Are there any errors in this query ? 回答1: When the placeholder is quoted it is not a placeholder, it is the literal value. Try it this way: $a = Model:

Explain how order clause can be exploited in Rails

流过昼夜 提交于 2019-12-02 17:55:11
问题 I am having difficulty understanding how this section from this website on Rails SQL Injections works. Taking advantage of SQL injection in ORDER BY clauses is tricky, but a CASE statement can be used to test other fields, switching the sort column for true or false. While it can take many queries, an attacker can determine the value of the field. Can someone explain? The bit where they say "switching the sort column for true or false" is the one that is hard to understand because I don't get

PHP protecting itself from SQL injections?

99封情书 提交于 2019-12-02 17:09:26
问题 When I send ");-- from an input field to my localhost PHP server, it AUTOMATICALLY converts it to \");-- It seems great, except that I don't know how trustworthy this behavior is. Although it seems to avoid SQL injections, my development environment is not the same as the production environment and I'm afraid that the production environment may not have this sort of protection automatically activated... Why does PHP does this(convert the input without having to use mysql_real_escape_string )?

Do you have any SQL Injection Testing “Ammo”?

一世执手 提交于 2019-12-02 16:22:18
When reading about SQL Injection and XSS i was wondering if you guys have a single string that could be used to identify those vulnerabilities and others. A string that could be thrown into a website database to black box check if that field is safe or not. (going to do a large test on a few inhouse tools) Rough example, wondering if you guys know of more? "a' or '1'='1" "center'> < script>alert('test')< /script>" EDIT: Found a nice XSS question on SO I've found some nice firefox addons that do the trick. XSS Me SQL Inject Me JimmyJ https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat

Preventing SQL injection on insert

瘦欲@ 提交于 2019-12-02 14:33:24
I am looking for some tips to prevent SQL injection. I was told on a forum my code is not safe and am looking for someone nice enough to help me fix that. I have a webform and on submit it goes to the aspx.cs page and inserts the data into a ms sql database. protected void Submit_Click(object sender, EventArgs e) { string FullStartTime = StartTimeHourList.SelectedValue + ":" + StartTimeMinuteList.SelectedValue + " " + StartTimeAMList.SelectedValue; string FullEndTime = EndTimeHourList.SelectedValue + ":" + EndTimeMinuteList.SelectedValue + " " + EndTimeAMList.SelectedValue; OleDbConnection

Are Codeigniter - Active Records Vulnerable to SQL Injections?

走远了吗. 提交于 2019-12-02 14:32:58
问题 Just read this on Stack overflow and thus left me wondering if SQL injection is possible through active records in CI. At most of the places in my project, for user registration and user profile update, I have done SQL insertions like this : Controller : $name = $this->input->post('name'); $last_name = $this->input->post('last_name'); $age = $this->input->post('dob'); $user_data = array( 'name' => $name, 'last_name' => $last_name, 'age' => $age ); $this->user_model->add_user_function($user

Practices for getting information from $_GET/$_POST and saving it to a database?

大城市里の小女人 提交于 2019-12-02 12:21:05
问题 What are today's best practises when it comes to getting information from a get/post and saving information to a database? Is data still escaped like it used to or are there additional practises? Also, where can HTMLPurifier fit in this? I'm currently using it to filter rich text. 回答1: Never Save data from GET to db. Never ever save data from GET, even if you are doing sufficient validation and escaping. GET is not supposed to change information on server. Before changing anything on server

Getting rid of SQL injection without using Prepared statement

荒凉一梦 提交于 2019-12-02 11:32:28
问题 My application has a lot of JDBC queries written using Statement and is thus vulnerable to SQL injection. Unfortunately this application was developed around 10 years back and probably developers didn't know about Prepared statement. I know that the best way to solve this problem is to use PreparedStatement but it is very tedious to convert it throughout the application. Also, writing any sort of Patten matching for SQL injection could be very tricky as keywords like Select, insert, union,

Does md5 stop SQL Injection

与世无争的帅哥 提交于 2019-12-02 11:22:37
问题 Ok, So, i'm a little unsure on this. I have a url parameter username . and I have this statement SELECT * FROM users WHERE user_hash = md5($_GET['username']) Is this secure? Upon account creation an md5 hashed version of the username and the password are stored. I'm confused as this seems so simple, if md5 stops sql injection why isn't username and password always saved in hash form? 回答1: Yes, this will avoid SQL injection, because md5() always returns a string of hex code. But it isn't a
订阅 sql-injection