sql-injection

Classic ASP SQL Injection Protection

不打扰是莪最后的温柔 提交于 2019-11-26 11:21:26
What is a strong way to protect against sql injection for a classic asp app? FYI I am using it with an access DB. (I didnt write the app) Cade Roux Stored Procedures and/or prepared statements: https://stackoverflow.com/questions/1973/what-is-the-best-way-to-avoid-sql-injection-attacks Can I protect against SQL Injection by escaping single-quote and surrounding user input with single-quotes? Catching SQL Injection and other Malicious Web Requests With Access DB, you can still do it, but if you're already worried about SQL Injection, I think you need to get off Access anyway. Here's a link to

Preventing SQL injection in Node.js

旧巷老猫 提交于 2019-11-26 11:18:41
Is it possible to prevent SQL injections in Node.js (preferably with a module) in the same way that PHP had Prepared Statements that protected against them. If so, how? If not, what are some examples that might bypass the code I've provided (see below). Some Context: I'm making a web application with a back-end stack consisting of Node.js + MySql using the node-mysql module. From a usability perspective, the module is great, but it has not yet implemented something akin to PHP's Prepared Statements (though I'm aware it is on the todo ). From my understanding, PHP's implementation of prepared

Is mysql_real_escape_string() broken?

折月煮酒 提交于 2019-11-26 10:35:25
Some people believe that mysql_real_escape_string() has some flaws and cannot protect your query even when properly used. Bringing some fossilized articles as a proof. So, the question is: is mysql[i]_real escape_string() totally unacceptable? Or is it's still possible to use this function to create your own kind of prepared statements? With proofcode, please. From the MySQL’s C API function mysql_real_escape_string description : If you need to change the character set of the connection, you should use the mysql_set_character_set() function rather than executing a SET NAMES (or SET CHARACTER

How can sanitation that escapes single quotes be defeated by SQL injection in SQL Server?

蓝咒 提交于 2019-11-26 10:27:33
问题 To start this off, I am well aware that parameterized queries are the best option, but I am asking what makes the strategy I present below vulnerable. People insist the below solution doesn\'t work, so I am look for an example of why it wouldn\'t. If dynamic SQL is built in code using the following escaping before being sent to a SQL Server, what kind of injection can defeat this? string userInput= \"N\'\" + userInput.Replace(\"\'\", \"\'\'\") + \"\'\" A similar question was answered here,

How do I re-write a SQL query as a parameterized query?

China☆狼群 提交于 2019-11-26 10:03:53
问题 I have heard that I can prevent SQL injection attacks by using parameterized queries, but I do not know how to write them. How would I write the following as a parameterized query? SqlConnection con = new SqlConnection( \"Data Source=\" + globalvariables.hosttxt + \",\" + globalvariables.porttxt + \"\\\\SQLEXPRESS;\" + \"Database=ha;\" + \"Persist Security Info=false;\" + \"UID=\'\" + globalvariables.user + \"\';\" + \"PWD=\'\" + globalvariables.psw + \"\'\"); string query = \"SELECT distinct

Preventing SQL Injection in ASP.Net

▼魔方 西西 提交于 2019-11-26 10:01:52
问题 I have this code UPDATE OPENQUERY (db,\'SELECT * FROM table WHERE ref = \'\'\"+ Ref +\"\'\' AND bookno = \'\'\"+ Session(\"number\") +\"\'\' \') How would I prevent SQL Injections on this? UPDATE Here\'s what i\'m trying SqlCommand cmd = new SqlCommand(\"Select * from Table where ref=@ref\", con); cmd.Parameters.AddWithValue(\"@ref\", 34); For some reason everything I try and add it doesn\'t seem to work I keep getting SQL Command mentioned below. The error is this \'SqlCommand\' is a type

SQL Injection attack prevention: where do I start

女生的网名这么多〃 提交于 2019-11-26 09:52:53
问题 I\'m looking to make my site secure against SQL injection attacks. Does anyone have any good links to make the site secure against these types of attacks in an ASP.NET site (c#, web forms)? EDIT: I should point out at I am using the Entity Framework 回答1: The first and best line of defense is to not use dynamic SQL. Always use parameterized queries. Take a look at the OWASP page about SQL Injection. 回答2: See these resources: How To: Protect From SQL Injection in ASP.NET (MSDN) Data Security:

Does this code prevent SQL injection?

时光怂恿深爱的人放手 提交于 2019-11-26 09:50:57
问题 Background I\'ve been contracted to analyze an existing Data Provider and I know the following code is faulty; but in order to point out how bad it is, I need to prove that it\'s susceptible to SQL injection. Question What \"Key\" parameter could break the PrepareString function and allow me to execute a DROP statement? Code Snippet Public Shared Function GetRecord(ByVal Key As String) As Record Dim Sql As New StringBuilder() With Sql .Append(\"SELECT * FROM TableName\") If String

MySQL Prepared Statements

坚强是说给别人听的谎言 提交于 2019-11-26 08:36:03
问题 I was just wondering if there was a way I could use some form of prepared statements in MySQL so I wouldn\'t have to escape all my inputs and I wouldn\'t have to switch all of my files from MySQL to MySQLi. I really don\'t trust the escaping functions, so if there is any alternatives that work in regular MySQL, it would be great. 回答1: Use PDO (PHP Data Objects) to connect to your MySQL database. This method will make sure that all database input will always be treated as text strings and you

What is the PDO equivalent of function mysql_real_escape_string?

折月煮酒 提交于 2019-11-26 08:17:10
问题 I am modifying my code from using mysql_* to PDO . In my code I had mysql_real_escape_string() . What is the equivalent of this in PDO? 回答1: Well No, there is none! Technically there is PDO::quote() but it is rarely ever used and is not the equivalent of mysql_real_escape_string() That's right! If you are already using PDO the proper way as documented using prepared statements, then it will protect you from MySQL injection. # Example: Below is an example of a safe database query using
订阅 sql-injection