sql-injection

问题 i have a SQL which is dynamically build,the following is the query : private String constructTownSearchQuery(String country, String stateName,String districtName,String townName) { StringBuilder statesSearchQuery = new StringBuilder(); statesSearchQuery.append(" select cntry.countryid,cntry.country,sta.stateid,sta.state,dst.districtid,dst.district,twn.townid,twn.town "); statesSearchQuery.append(" from m_countries as cntry,m_states as sta,m_districts as dst,m_towns as twn ");

问题 Closed . This question needs to be more focused. It is not currently accepting answers. Want to improve this question? Update the question so it focuses on one problem only by editing this post. Closed 2 years ago . I am trying to fetch bulk data from a website database but could not succeed. Can somebody suggest if SQL injection is possible and how to do in this case. 回答1: There are many ways to do SQL Injection to a website similar to the one you provided. In the where clause it is

问题 I want to make a quick and easy demonstration about how SQL injection work. And I've solved some of my problems. I have a table with random usernames, passwords and emails in, and I'm able to "inject" SQL code to view all of the users in a search with this injection: ' OR '1'='1 This is how my PHP code looks for searching for "members": if (isset($_POST['search'])) { $searchterm = $_POST['searchterm']; echo $searchterm . '<br>'; /* SQL query for searching in database */ $sql = "SELECT

问题 This question already has answers here : How can I prevent SQL injection in PHP? (28 answers) Closed 6 years ago . I've below code in one of my php files to fetch data from DB: $products = $this->db->get_rows('SELECT * from products WHERE shop_id='.$_SESSION['shop_id'].'AND tags,title,text LIKE \'%'.$_POST['search'].'%\''); Is it problematic? I mean LIKE operator can be injected? Edited please provide examples of injecting in this way 回答1: Any operator can be injected without binding. $_POST[

问题 I have a form into which the visitor can enter data, and I want to store this data in a mysql database via the $_POST variable. What do I need to prevent sql injection? 回答1: Use prepared statements . 回答2: I gave a presentation at the PHP TEK-X conference in May 2010 about this topic, and I tried to cover multiple methods for defending against SQL Injection. There is no single method that is best in all cases, so you should learn multiple methods and use all of them: Validate user input or any

问题 It's my first time developing using MVC and I want to make it secure. When I use HtmlEncode it converts the String to the equivalent HTML String. The user can enter in the search for example ali' or ali-- and they exist in my database. How to control my search and login from SQL injection please? Also any tutorial or best practice to prevent script injection? 回答1: LINQ and Entity Framework already check for SQL Injection for you. But you should read the documentation anyhow: LINQ MSDN Link

问题 I'm a beginner in ASP.NET so I have some questions about how to prevent SQL injection in ASP.NET. My programming language is VB.NET, not C#, and I'm using Microsoft Access as my database. My questions are: How to protect my database from SQL injection? I have been reading postings from other forums and they said using parameters with stored procedures, parameters with dynamic SQL. Can they be implemented in a Microsoft Access database? 回答1: Here is a very simple ASP.NET example using a

问题 I'm a beginner in ASP.NET so I have some questions about how to prevent SQL injection in ASP.NET. My programming language is VB.NET, not C#, and I'm using Microsoft Access as my database. My questions are: How to protect my database from SQL injection? I have been reading postings from other forums and they said using parameters with stored procedures, parameters with dynamic SQL. Can they be implemented in a Microsoft Access database? 回答1: Here is a very simple ASP.NET example using a

问题 I'm a beginner in ASP.NET so I have some questions about how to prevent SQL injection in ASP.NET. My programming language is VB.NET, not C#, and I'm using Microsoft Access as my database. My questions are: How to protect my database from SQL injection? I have been reading postings from other forums and they said using parameters with stored procedures, parameters with dynamic SQL. Can they be implemented in a Microsoft Access database? 回答1: Here is a very simple ASP.NET example using a

问题 I have the following code: function dbPublish($status) { global $dbcon, $dbtable; if(isset($_GET['itemId'])) { $sqlQuery = 'UPDATE ' . $dbtable . ' SET active = ? WHERE id = ?'; $stmt = $dbcon->prepare($sqlQuery); $stmt->bind_param('ii', $status, $_GET['itemId']); $stmt->execute(); $stmt->close(); } } Do I need to mysql_real_escape_string in this case or am i okay? 回答1: No, you don't have to escape value yourself (i.e. no you don't need to call mysqli_real_escape_string ) , when you are using