sql-injection

Someone has hacked my database and has dropped the table. In my PHP page there is one single query where I am using mysql_real_escape_string: $db_host="sql2.netsons.com"; $db_name="xxx"; $username="xxx"; $password="xxx"; $db_con=mysql_connect($db_host,$username,$password); $connection_string=mysql_select_db($db_name); mysql_connect($db_host,$username,$password); mysql_set_charset('utf8',$db_con); $email= mysql_real_escape_string($_POST['email']); $name= mysql_real_escape_string($_POST['name']); $sex= mysql_real_escape_string($_POST['sex']); if($_POST['M']!=""){ $sim = 1; }else { $sim = 0; }

Possible Duplicates: XKCD sql injection - please explain What is SQL injection? I have seen the term "SQL injection" but still do not understand it. What is it? SQL injection is where someone inserts something malicious into one of your SQL queries. Let's assume that you have an SQL query like this: select * from people where name = '<name>' and password = '<password>' Now let's assume that <name> and <password> are replaced by something someone types on your webpage. If someone typed this as their password... ' or '' = ' ...then the resulting query would be: select * from people where name =

I have read somewhere here that using prepared statements in PDO makes your app only immune to first order SQL injections, but not totally immune to second order injections. My question is: if we used prepared statements in all queries inlcuding SELECT queries and not only in INSERT query, then how can a second order sql injection be possible? For example in the following queries there is no chance for a 2nd order injection: write: INSERT INTO posts (userID,text,date) VALUES(?,?,?) read: SELECT * FROM posts WEHRE userID=? delete: DELETE FROM posts WHERE userID=? What you have read is a plain

Possible Duplicate: Can I protect against SQL Injection by escaping single-quote and surrounding user input with single-quotes? I just want to know, If I replace every ' with '' in user inputs, for instance string.Replace("'","''") , and validate numbers (make sure that they are numbers, and do not contain any other character), is SQL Injection still possible? How? I'm using dynamic SQL queries, using SqlCommand . Something like this: cmd.CommandText = "SELECT * FROM myTable WHERE ID = " + theID.ToString(); or cmd.CommandText = "UPDATE myTable SET title='" + title.Replace("'","''") + "' WHERE

This is a follow-up to this question: Is PHP's addslashes vulnerable to sql injection attack? (thanks to everyone that replied over there). Same scenario, but I have this code (in another page): $ID = $_GET['id']; $sql = "SELECT * FROM blog WHERE id='$ID'"; $result = mysql_query($sql); This should be easy enough to exploit, right? If I remember correctly I CANNOT run a second query inside mysql_query() but I should be able to do some other malicious stuff, right? Would love to be able to insert a user into the admin table or change a password or something, but I assume I wouldn't be able to do

What is all about the second level SQL Injection.. This is with reference to the question Use of parameters for mysql_query .. and a part of one of the answers had this term... o.k.w I'm not exactly sure but I thought it was 'defined' in the post: Use of parameters for mysql_query Excerpt (see point 2): magic_quotes_gpc automatically escapes things you receive in requests from clients... but it cannot detect so-called second-level injections: You get a malicious query from a client and store its contents in the database. magic_quotes_gpc prevents SQL injection; the malicious string gets stored

I'm creating a site where the user unfortunately has to provide a regex to be used in a MySQL WHERE clause. And of course I have to validate the user input to prevent SQL injection. The site is made in PHP, and I use the following regex to check my regex: /^([^\\\\\']|\\\.)*$/ This is double-escaped because of PHP's way of handling regexes. The way it's supposed to work is to only match safe regexps, without unescaped single quotes. But being mostly self-taught, I'd like to know if this is a safe way of doing it. If you use prepared statements, SQL injection will be impossible. You should

I am new to ASP.NET and C# programming. I would like to know what is the difference and advantages plus disadvantages of using parameters instead of concatenation in SQL statements, as I heard that it is a better way to prevent SQL injection(?) Below are sample INSERT statements which I have changed from using concatenation to parameters: Concatenation: string sql = string.Format("INSERT INTO [UserData] (Username, Password, ...) VALUES ('" + usernameTB.Text + "', '" + pwTB.Text + "',...); Parameters: cmd.CommandText = "INSERT INTO [UserData] (Username, Password, ...) VALUES (@Username,