sql-injection

I´m new in PHP and I´ve realised that my database connection, using a php form (with user and pass text inputs) was totally unsafe: This was working, but was unsafe: <?php $link=mysqli_connect('localhost','xx','xx','xx'); $sql=' SELECT * FROM usuarios WHERE username="'.$_POST['usuario'].'" AND pass="'.$_POST['usuario'].'" '; $rs=mysqli_query($link,$sql); mysqli_close($link); ?> So, I´ve read about mysqli_real_escape_string, and decided to try it out: <?php $link=mysqli_connect('localhost','xx','xx','xx'); $usuario=mysqli_real_escape_string($link, $_POST["usuario"]); $clave=mysqli_real_escape

We have a ton of SQL Server stored procedures which rely on dynamic SQL. The parameters to the stored procedure are used in a dynamic SQL statement. We need a standard validation function inside these stored procedures to validate these parameters and prevent SQL injection. Assume we have these constraints: We can't rewrite the procedures to not use Dynamic SQL We can't use sp_OACreate etc., to use regular expressions for validation. We can't modify the application which calls the stored procedure to validate the parameters before they are passed to the stored procedure. Is there a set of

I'm learning about avoiding SQL injections and I'm a bit confused. When using bind_param, I don't understand the purpose. On the manual page, I found this example: $stmt = mysqli_prepare($link, "INSERT INTO CountryLanguage VALUES (?, ?, ?, ?)"); mysqli_stmt_bind_param($stmt, 'sssd', $code, $language, $official, $percent); $code = 'DEU'; $language = 'Bavarian'; $official = "F"; $percent = 11.2; Now, assuming those 4 variables were user-inputted, I don't understand how this prevents SQL injections. By my understanding, they can still input whatever they want in there. I also can't find an

Question : Is preventing XSS (cross-site scripting) as simple using strip_tags on any saved input fields and running htmlspecialchars on any displayed output ... and preventing SQL Injection by using PHP PDO prepared statements? Here's an example: // INPUT: Input a persons favorite color and save to database // this should prevent SQL injection ( by using prepared statement) // and help prevent XSS (by using strip_tags) $sql = 'INSERT INTO TABLE favorite (person_name, color) VALUES (?,?)'; $sth = $conn->prepare($sql); $sth->execute(array(strip_tags($_POST['person_name']), strip_tags($_POST[

let us say I have a list page of users and you can sort by the different columns, when clicking 'email' it will pass sort_by=email sort_direction=asc or desc sort_by = "email" # really params[:sort_by] sort_direction = "asc" # really params[:sort_direction] User.order("#{sort_by} #{sort_direction}") # SELECT "users".* FROM "users" ORDER BY email asc so that works as expected, however if we change the sort_by sort_by = "email; DELETE from users; --" User.order("#{sort_by} #{sort_direction}") # SELECT "users".* FROM "users" ORDER BY email; DELETE from users; -- asc now we have no more users :( I

I am developing an application using hibernate. When I try to create a Login page, The problem of Sql Injection arises. I have the following code: @Component @Transactional(propagation = Propagation.SUPPORTS) public class LoginInfoDAOImpl implements LoginInfoDAO{ @Autowired private SessionFactory sessionFactory; @Override public LoginInfo getLoginInfo(String userName,String password){ List<LoginInfo> loginList = sessionFactory.getCurrentSession().createQuery("from LoginInfo where userName='"+userName+"' and password='"+password+"'").list(); if(loginList!=null ) return loginList.get(0); else