sql-injection

问题 I was told in a previous question that my query is prone to SQL injections. get_stats = mysql_query("SELECT * FROM visitors WHERE site='$_GET[site]' AND date BETWEEN '$start_date' AND '$end_date' "); What would be the easiest way to approach this problem? And do you have some further reading on the subject of injections? (something that I might miss on Google). Thanks! 回答1: Use Prepared Statements. In most cases, Prepared Statements do the job of combining your query with your parameters, in

问题 I was told in a previous question that my query is prone to SQL injections. get_stats = mysql_query("SELECT * FROM visitors WHERE site='$_GET[site]' AND date BETWEEN '$start_date' AND '$end_date' "); What would be the easiest way to approach this problem? And do you have some further reading on the subject of injections? (something that I might miss on Google). Thanks! 回答1: Use Prepared Statements. In most cases, Prepared Statements do the job of combining your query with your parameters, in

问题 I am using Laravel 4 with Eloquent. When I get the user input I just use $name=Input::get('name') and then I do $a->name=$name; I don't know if the function Input::get protect me from SQL Injection and XSS. If it does not, what do I have to do to sanitize the input? And, when I show the value in my view, shall I use {{$a}} or {{{$a}}} Greetings and thanks. 回答1: Laravel uses PDO's parameter binding, so SQL injection is not something you should worry about. You should read this though. Input:

问题 I am using Laravel 4 with Eloquent. When I get the user input I just use $name=Input::get('name') and then I do $a->name=$name; I don't know if the function Input::get protect me from SQL Injection and XSS. If it does not, what do I have to do to sanitize the input? And, when I show the value in my view, shall I use {{$a}} or {{{$a}}} Greetings and thanks. 回答1: Laravel uses PDO's parameter binding, so SQL injection is not something you should worry about. You should read this though. Input:

问题 In terms of SQL injection, I completely understand the necessity to parameterize a string parameter; that's one of the oldest tricks in the book. But when can it be justified to not parameterize an SqlCommand ? Are any data types considered "safe" to not parameterize? For example: I don't consider myself anywhere near an expert in SQL, but I can't think of any cases where it would be potentially vulnerable to SQL injection to accept a bool or an int and just concatenate it right into the

问题 I have implemented an Azure function that is triggered by a HttpRequest. A parameter called name is passed as part of the HttpRequest. In Integration section, I have used the following query to retrieve data from CosmosDB (as an input): SELECT * FROM c.my_collection pm WHERE Contains(pm.first_name,{name}) As you see I am sending the 'name' without sanitizing it. Is there any SQLInjection concern here? I searched and noticed that parameterization is available but that is not something I can do

问题 I am reviewing a Linux based perl web application that contains a login handler with the ubiquitous my $sth = $DB->prepare("SELECT password from passwords where userid='$userid'") or die; $sth->execute or die; ... where $userid is initialized from (unsafe, unfiltered) web user input. It is well known that the DBI documentation recommends that this code should be changed to use the placeholder "?" in place of '$userid' for security. This code was isolated on an off network box, as-is, for the

问题 Tables and Columns names cannot be bind using PDO ->bindParam(), but I am sure more than one would love to be able to. It is a little late, but I wrote this earlier and so far it works. I am kind of new to php, and would like to know what you think and if it is safe. $type = "defaultTableName"; $sortBy = "defaultColumnName"; $orderBy = "ASC"; //whitelisting unsafe input if(isset($_GET['orderBy'])&&($_GET['orderBy']=="ASC"||$_GET['orderBy']=="DESC")) $orderBy = $_GET['orderBy']; $tableNames =

问题 In current project using MySQL. Looking into the mysqli functions, found them to be very difficult to use. In my opinion, any programmer using the library should have a Medal of Honor. Three problems: mysqli does not handle NULL or functions such as CURRENT_DATE it is impossible to use paramterized SQL statements for queries with random WHERE clauses (so how do you prevent SQL Injection attacks?) in my opinion, it's too much work to use sqli in complicated cases (see link) PDO does not solve

问题 After getting great help in securing against SQL injection from classic ASP protection against SQL injection, I've encountered a major issue which cannot be solved using parameterized queries. name = Trim(Request.QueryString("name")) flds = Trim(Request.QueryString("flds")) sql = "set rowcount 0 select " & flds & " from [TABLE] where Name = '" & name & "'" From what I understand, a parameterized query will protect against SQL injection in the WHERE clause (in this case, the name field. flds