sql-injection

I just started using Php Data Objects and one thing I'm not sure about is do I have to validate that some variable is an integer before using it in the query. For example, like this: $id = (int)$_POST['id']; // is this required $query = $pdo->prepare("SELECT * FROM `articles` WHERE `id` = ?"); $query->bindValue(1, $id); $query->execute(); No it's not required for two reasons: You're letting PDO know that you are going to query the database for a column ID. PDO isn't going to parse anything in $_POST['id'] . The second value of bindValue is automatically casted to a string (or of any type you

There's a lot of warnings about SQL injections here on SO, but no one I've found doesn't really answer, how does it happen? In this question, I'm assuming it's MySQL and PHP. The basic mysql_ doesn't accept a second query inside a query, right? So, basically, this $unsafe = "');DROP TABLE table;--"; mysqli_query($con,"INSERT INTO table (Column) VALUES ('$unsafe'"); doesn't actually do anything harmful? Correct me on this. I've no experience working with mysqli_ , so I'll skip to PDO, and "Prepared statements". When I started working with PDO, I had a lack of information on it, and basically

I have a table that has the columns GroupID | GroupName | GroupDesc | Overs | ----------------------------------------- 1 | Test Group|Description| Yes | I have a page called list.php and it currently creates the URL for each row in the DB in the groups table(above). The code is not the prettiest but I think it works this is he code list.php <?php $result = mysql_query("SELECT * FROM groups"); while($row = mysql_fetch_array($result)) { echo "<div class=\"divider\">"; echo "<a href=\"group.php?id="; echo $row['GroupID']; echo "\">"; echo $row['GroupName']; echo "</a>"; echo "<br><br>"; echo

Is there a way to, in as little code as possible, to filter a string for both SQL injection and the most common forms of attack? In my scripts I'm using the following, I would like to know whether it's reasonably safe and whether someone else has a suggestion: $cleanName = htmlspecialchars(addslashes($dirtyName)); See how I filtered it both for html chars and for quotes and double-quotes. NOTE: I'm using addslashes() rather than mysql_real_escape_string() because I don't want to hardcode the DB I'm using into my code. Is this ok? Thanks in advance Probably not... you need to escape your raw

I've parameterized my queries in my Classic ASP app, but am unsure whether I need to sanitize or scrub free text fields or if the parameterization is sufficient to prevent injection. Not all sql stored procs are injection safe http://palisade.plynt.com/issues/2006Jun/injection-stored-procedures/ If you use parametrized queries, you're safe against SQL injection attacks. But not for XSS attacks ; some user could to insert HTML content (think about <script> , <object> tags) into your database and, at some page, another user get that potentially malicious code executed. 来源： https://stackoverflow

To protect against sql injection, I read in the introduction to ColdFusion that we are to use the cfqueryparam tag. But when using stored procedures, I am passing my variables to corresponding variable declarations in SQL Server: DROP PROC Usr.[Save] GO CREATE PROC Usr.[Save] (@UsrID Int ,@UsrName varchar(max) ) AS UPDATE Usr SET UsrName = @UsrName WHERE UsrID=@UsrID exec Usr.[get] @UsrID Q: Is there any value in including cfSqlType when I call a stored procedure? Here's how I'm currently doing it in Lucee: storedproc procedure='Usr.[Save]' { procparam value=Val(form.UsrID); procparam value