sql-injection

In the below sample code, Table Name is an input parameter. In this case, how can I avoid SQL injection using sp_executesql . Below is the sample code, I am trying to use sp_executesql to avoid it but it doesn't work. Can anyone tell me how to correct it? ALTER PROC Test @param1 NVARCHAR(50), @param2 INT, @tblname NVARCHAR(100) AS BEGIN DECLARE @sql NVARCHAR(1000) SET @sql= N' select * from ' + @tblname + ' where name= @param1 and id= @param2'; PRINT @sql EXEC Sp_executesql @sql, N'@param1 nvarchar(50), @param2 int', @param1, @param2; END EXEC Test 'John', 2, ' emp; delete from emp where id =

This question is merely for educational purposes, as I'm not currently building any application that builds SQL queries with user input. That said, I know that in ADO.NET you can prevent SQL Injection by doing something like this: OleDbCommand command = new OleDbCommand("SELECT * FROM Table WHERE Account = @2", connection); command.Parameters.AddWithValue("@2", "ABC"); But assuming that your application is designed in such a way that the user can actually enter the name of the table, can you do the following? (I don't care if it's a bad idea to allow the users to supply the name of the table,

I've been reading up on SQL injections and I couldn't find an answer to this question. I understand if I a query like this prepare("SELECT id, foo, bar FROM table WHERE username = ?"); Then I should use bind_param('s', $username) to avoid SQL injection possibilities. But what if I running my query on something that is not user-inputted but something like an auto-generated ID. Example: prepare("SELECT username, foo, bar from table where id = ?"); Where id is self-generated (auto-incremented value). Do I have to make use of bind_param('i', $id) here too or can I just prepare the query as:

I am building a little interface where I would like users to be able to write out their entire sql statement and then see the data that is returned. However, I don't want a user to be able to do anything funny ie delete from user_table; . Actually, the only thing I would like users to be able to do is to run select statements. I know there aren't specific users for SQLite, so I am thinking what I am going to have to do, is have a set of rules that reject certain queries. Maybe a regex string or something (regex scares me a little bit). Any ideas on how to accomplish this? def input_is_safe

Hi I am using a dataset and in that dataset I have a table adapter. In my table adapters I have used stored procedures as queries. If I use the following lines to insert form data using my table adapter, is it safe against SQL injection? Thanks. UserDataSetTableAdapters.UserInformationTableAdapter myFactory = new TestProject.UserDataSetTableAdapters.UserInformationTableAdapter(); myFactory.spTest_InsertUserInformation(id, frmAddress); Without posting your stored-procedure code, there's no way to truly answer your question, but you can probably answer it yourself. SQL injection attacks stem

Example mysql_query: $query=mysql_query("SELECT `col1`, `col2` FROM `table` WHERE `col1`='$escapedvariable' "); I know the above is not good in practice. Better query using prepare and execute $pSt = $dbh->prepare('SELECT col1, col2 FROM table WHERE col1=:col1); $pSt->execute(array(':col1'=>$escapedvariable); $status=$pSt->errorCode(); Question: Can I use mysql_query with bound variables for added security? No, you have to use mysqli -functions or PDO . 来源： https://stackoverflow.com/questions/4836821/bind-variables-in-a-mysql-query-statement

As seen in comment_controller.rb: def create @comment = Comment.new(params[:comment]) @comment.save end Im assuming that this is SQL injection-unsafe. But what is the correct way of doing it?.. All the examples on the net deal with finds. That code is safe from SQL injection attacks. The escaping is done by ActiveRecord, so any time you call a model's find , create , new / save , or any other method that does database interaction, you're OK. The only exception is if you use raw SQL for one of the options, for example: Comment.find(:all, :conditions => "user_id = #{params[:user_id]}") the

This question already has an answer here: How can I sanitize user input with PHP? 18 answers i want to check my data from the user for XSS and SQL injection and this is how i tried if (isset($_GET['membernumber'])) { $mem = htmlentities($_GET['membernumber']); $memberparamter = cleanData($mem); } But which method is the best/correct way to check? Method 1 function cleanData($data) { $data=mysql_real_escape_string($data); $data=trim($data); $data=stripcslashes($data); $data=htmlspecialchars($data); $data=strip_tags($data); return $data; } Method 2 function cleanData($data) { $data=mysql_real