sql-injection

问题 I have an application which would greatly benefit by using dynamic mysql queries in combination with mysql (mysqli) real escape string. If I ran all data received from the user through mysql real escape would it be just as secure as using mysql prepared statements? 回答1: Definitely NO. While question in the title is ambiguous and can be interpreted as "Are dynamic mysql queries with every it's part properly formatted ..." and thus have a positive answer, the question in the body is not : If I

问题 Sorry for the long question but this contains all the SQL I\'ve used to test the scenario to hopefully make it clear as to what I\'m doing. I\'m build up some dynamic SQL to produce a PIVOT table in SQL Server 2005. Below is code to do this. With various selects showing the raw data the values using GROUP BY and the values in a PIVOT as I want them. BEGIN TRAN --Create the table CREATE TABLE #PivotTest ( ColumnA nvarchar(500), ColumnB nvarchar(500), ColumnC int ) --Populate the data INSERT

问题 Just looking at: (Source: https://xkcd.com/327/) What does this SQL do: Robert\'); DROP TABLE STUDENTS; -- I know both \' and -- are for comments, but doesn\'t the word DROP get commented as well since it is part of the same line? 回答1: It drops the students table. The original code in the school's program probably looks something like q = "INSERT INTO Students VALUES ('" + FNMName.Text + "', '" + LName.Text + "')"; This is the naive way to add text input into a query, and is very bad , as you

问题 I understand that you should NEVER trust user input from a form, mainly due to the chance of SQL injection. However, does this also apply to a form where the only input is from a dropdown(s) (see below)? I\'m saving the $_POST[\'size\'] to a Session which is then used throughout the site to query the various databases (with a mysqli Select query) and any SQL injection would definitely harm (possibly drop) them. There is no area for typed user input to query the databases, only dropdown(s).

问题 Why do we need a DB-specific functions like mysql_real_escape_string()? What can it do that addslashes() doesn\'t? Ignoring for the moment the superior alternative of parameterized queries, is a webapp that uses addslashes() exclusively still vulnerable to SQL injection, and if yes, how? 回答1: Addslashes is generally not good enough when dealing with multibyte encoded strings. 回答2: It adds slashes to: \x00, \n, \r, \, ', " and \x1a. characters. Where addslashes only adds slashes to ' \ and NUL

问题 I have to add a statement to my java program to update a database table: String insert = \"INSERT INTO customer(name,address,email) VALUES(\'\" + name + \"\',\'\" + addre + \"\',\'\" + email + \"\');\"; I heard that this can be exploited through an SQL injection like: DROP TABLE customer; My program has a Java GUI and all name, address and email values are retrieved from Jtextfields . I want to know how the following code ( DROP TABLE customer; ) could be added to my insert statement by a

问题 On http://www.justinshattuck.com/2007/01/18/mysql-injection-cheat-sheet/?akst_action=share-this , there is a section that claims you can bypass mysql_real_escape_string with certain Asian character encodings Bypassing mysql_real_escape_string() with BIG5 or GBK \"injection string\" に関する追加情報： the above chars are Chinese Big5 Is this really true? And if so, how would you protect your website against this, if you had no access to prepared statements? 回答1: According to Stefan Esser, " mysql_real

问题 Started using PDO prepared statements not too long ago, and, as i understand, it does all the escaping/security for you. for example, assuming $_POST[\'title\'] is a form field. $title = $_POST[\'title\']; $query = \"insert into blog(userID, title) values (?, ?)\" $st = $sql->prepare($query); $st->bindParam(1, $_SESSION[\'user\'][\'userID\'], PDO::PARAM_INT); $st->bindParam(2, $title); $st->execute(); Is this really safe? Do i have to do anything else? what else do i have to take into

问题 What is the safest way to run queries on mysql, I am aware of the dangers involved with MySQL and SQL injection. However I do not know how I should run my queries to prevent injection on the variables to which other users (webclients) can manipulate. I used to write my own escape function, but apparently this is \"not-done\". What should I use and how should I use it to query and do inserts safely on a MySQL database through python without risking mysql injection? 回答1: To avoid injections,

问题 What is a strong way to protect against sql injection for a classic asp app? FYI I am using it with an access DB. (I didnt write the app) 回答1: Stored Procedures and/or prepared statements: https://stackoverflow.com/questions/1973/what-is-the-best-way-to-avoid-sql-injection-attacks Can I protect against SQL Injection by escaping single-quote and surrounding user input with single-quotes? Catching SQL Injection and other Malicious Web Requests With Access DB, you can still do it, but if you're