sql-injection | 易学教程

Avoiding SQL Injection in SQL query with Like Operator using parameters?

阅读更多关于 Avoiding SQL Injection in SQL query with Like Operator using parameters?

问题 Taking over some code from my predecessor and I found a query that uses the Like operator: SELECT * FROM suppliers WHERE supplier_name like '%'+name+%'; Trying to avoid SQL Injection problem and parameterize this but I am not quite sure how this would be accomplished. Any suggestions ? note, I need a solution for classic ADO.NET - I don't really have the go-ahead to switch this code over to something like LINQ. 回答1: try this: var query = "select * from foo where name like @searchterm"; using

How to fix Server Status Code: 302 Found by SQL Inject Me Firefox Addon

阅读更多关于 How to fix Server Status Code: 302 Found by SQL Inject Me Firefox Addon

问题 I scanned my login script using SQL Inject Me Firefox addon According to the Test Results, my script was vulnerable to SQL Injection. Result by example Results: Server Status Code: 302 Found Tested value: &#49&#39&#32&#79&#82&#32&#39&#49&#39&#61&#39&#49 Server Status Code: 302 Found Tested value: 1' OR '1'='1 Server Status Code: 302 Found Tested value: 1 UNI/**/ON SELECT ALL FROM WHERE Server Status Code: 302 Found Tested value: %31%27%20%4F%52%20%27%31%27%3D%27%31 My script login.php - Login

How does SQL-injection work and how do I protect against it [duplicate]

阅读更多关于 How does SQL-injection work and how do I protect against it [duplicate]

问题 Possible Duplicate: What is SQL injection? I see a lot of php code floating around on stackoverflow and (too) little escaping of strings. Can anyone Explain what SQL injection is; Explain what it can do to your server, data and code; Give an example how to perform an SQL-injection Give php sample code how to protect against SQL-injection 回答1: I cannot resist aswell. SQL Injection is "a code injection technique that exploits a security vulnerability occurring in the database layer of an

How do I re-write a SQL query as a parameterized query?

阅读更多关于 How do I re-write a SQL query as a parameterized query?

I have heard that I can prevent SQL injection attacks by using parameterized queries, but I do not know how to write them. How would I write the following as a parameterized query? SqlConnection con = new SqlConnection( "Data Source=" + globalvariables.hosttxt + "," + globalvariables.porttxt + "\\SQLEXPRESS;" + "Database=ha;" + "Persist Security Info=false;" + "UID='" + globalvariables.user + "';" + "PWD='" + globalvariables.psw + "'"); string query = "SELECT distinct ha FROM app WHERE 1+1=2"; if (comboBox1.Text != "") { query += " AND firma = '" + comboBox1.Text + "'"; } if (comboBox2.Text !=

Preventing SQL Injection in ASP.Net

阅读更多关于 Preventing SQL Injection in ASP.Net

I have this code UPDATE OPENQUERY (db,'SELECT * FROM table WHERE ref = ''"+ Ref +"'' AND bookno = ''"+ Session("number") +"'' ') How would I prevent SQL Injections on this? UPDATE Here's what i'm trying SqlCommand cmd = new SqlCommand("Select * from Table where ref=@ref", con); cmd.Parameters.AddWithValue("@ref", 34); For some reason everything I try and add it doesn't seem to work I keep getting SQL Command mentioned below. The error is this 'SqlCommand' is a type and cannot be used as an expression I'm taking over someone else's work so this is all new to me and I would like do things the

A good way to escape quotes in a database query string?

阅读更多关于 A good way to escape quotes in a database query string?

问题 I've tried all manner of Python modules and they either escape too much or in the wrong way. What's the best way you've found to escape quotes (", ') in Python? 回答1: If it's part of a Database query you should be able to use a Parameterized SQL Statement. As well as escaping your quotes, this will deal with all special characters and will protect you from SQL injection attacks. 回答2: Use json.dumps . >>> import json >>> print json.dumps('a"bc') "a\"bc" 回答3: The easy and standard way to escape

Am I immune to SQL injections if I use stored procedures?

阅读更多关于 Am I immune to SQL injections if I use stored procedures?

问题 Lets say on MySQL database (if it matters). 回答1: No, you will not be completely safe. As others have mentioned, parameterized queries are always the way to go -- no matter how you're accessing the database. It's a bit of an urban legend that with procs you're safe. I think the reason people are under this delusion is because most people assume that you'll call the procs with parameterized queries from your code. But if you don't, if for example you do something like the below, you're wide

SQL Injection attack prevention: where do I start

阅读更多关于 SQL Injection attack prevention: where do I start

I'm looking to make my site secure against SQL injection attacks. Does anyone have any good links to make the site secure against these types of attacks in an ASP.NET site (c#, web forms)? EDIT: I should point out at I am using the Entity Framework The first and best line of defense is to not use dynamic SQL . Always use parameterized queries . Take a look at the OWASP page about SQL Injection . See these resources: How To: Protect From SQL Injection in ASP.NET (MSDN) Data Security: Stop SQL Injection Attacks Before They Stop You SQL Injection Attacks and Some Tips on How to Prevent Them

Does this code prevent SQL injection?

阅读更多关于 Does this code prevent SQL injection?

Background I've been contracted to analyze an existing Data Provider and I know the following code is faulty; but in order to point out how bad it is, I need to prove that it's susceptible to SQL injection. Question What "Key" parameter could break the PrepareString function and allow me to execute a DROP statement? Code Snippet Public Shared Function GetRecord(ByVal Key As String) As Record Dim Sql As New StringBuilder() With Sql .Append("SELECT * FROM TableName") If String.IsNullOrEmpty(Agency) Then .Append(" ORDER BY DateAdded") Else .Append(" WHERE Key = '") .Append(PrepareString(Key))

Delphi - prevent against SQL injection

阅读更多关于 Delphi - prevent against SQL injection

问题 I need to protect an application from SQL injection. Application is connecting to Oracle, using ADO, and search for the username and password to make the authentication. From what I've read until now, the best approach is by using parameters, not assigning the entire SQL as string. Something like this: query.SQL.Text := 'select * from table_name where name=:Name and id=:ID'; query.Prepare; query.ParamByName( 'Name' ).AsString := name; query.ParamByName( 'ID' ).AsInteger := id; query.Open;