sql-injection

问题 Is there a catchall function somewhere that works well for sanitizing user input for SQL injection and XSS attacks, while still allowing certain types of HTML tags? 回答1: It's a common misconception that user input can be filtered. PHP even has a (now deprecated) "feature", called magic-quotes, that builds on this idea. It's nonsense. Forget about filtering (or cleaning, or whatever people call it). What you should do, to avoid problems, is quite simple: whenever you embed a string within

问题 I know that PreparedStatements avoid/prevent SQL Injection. How does it do that? Will the final form query that is constructed using PreparedStatements will be a string or otherwise? 回答1: The problem with SQL injection is, that a user input is used as part of the SQL statement. By using prepared statements you can force the user input to be handled as the content of a parameter (and not as a part of the SQL command). But if you don't use the user input as a parameter for your prepared

问题 Earlier today a question was asked regarding input validation strategies in web apps. The top answer, at time of writing, suggests in PHP just using htmlspecialchars and mysql_real_escape_string . My question is: Is this always enough? Is there more we should know? Where do these functions break down? 回答1: When it comes to database queries, always try and use prepared parameterised queries. The mysqli and PDO libraries support this. This is infinitely safer than using escaping functions such

问题 Is there an SQL injection possibility even when using mysql_real_escape_string() function? Consider this sample situation. SQL is constructed in PHP like this: $login = mysql_real_escape_string(GetFromPost(\'login\')); $password = mysql_real_escape_string(GetFromPost(\'password\')); $sql = \"SELECT * FROM table WHERE login=\'$login\' AND password=\'$password\'\"; I have heard numerous people say to me that code like that is still dangerous and possible to hack even with mysql_real_escape

问题 Originally I used mysql_connect and mysql_query to do things. Then I learned of SQL injection, so I am trying to learn how to use prepared statements. I understand how the prepare and execute functions of the PDO class are useful to prevent SQL injection. Are prepared statements only necessary when a users input is stored into a database? Would it be okay to still use mysql_num_rows , since I don\'t really run the risk of being hacked into by using this function? Or is it more secure to use

问题 I have a lot of user inputs from $_GET and $_POST ... At the moment I always write mysql_real_escape_string($_GET[\'var\']) .. I would like to know whether you could make a function that secures, escapes and cleans the $_GET / $_POST arrays right away, so you won\'t have to deal with it each time you are working with user inputs and such. I was thinking of an function, e.g cleanMe($input) , and inside it, it should do mysql_real_escape_string , htmlspecialchars , strip_tags , stripslashes (I

问题 It's difficult to tell what is being asked here. This question is ambiguous, vague, incomplete, overly broad, or rhetorical and cannot be reasonably answered in its current form. For help clarifying this question so that it can be reopened, visit the help center. Closed 7 years ago . This is to create a community learning resource . The goal is to have examples of good code that do not repeat the awful mistakes that can so often be found in copy/pasted PHP code. I have requested it be made

问题 How do prepared statements help us prevent SQL injection attacks? Wikipedia says: Prepared statements are resilient against SQL injection, because parameter values, which are transmitted later using a different protocol, need not be correctly escaped. If the original statement template is not derived from external input, SQL injection cannot occur. I cannot see the reason very well. What would be a simple explanation in easy English and some examples? 回答1: The idea is very simple - the query

问题 I am trying to create an SQL statement using user-supplied data. I use code similar to this in C#: var sql = \"INSERT INTO myTable (myField1, myField2) \" + \"VALUES (\'\" + someVariable + \"\', \'\" + someTextBox.Text + \"\');\"; var cmd = new SqlCommand(sql, myDbConnection); cmd.ExecuteNonQuery(); and this in VB.NET: Dim sql = \"INSERT INTO myTable (myField1, myField2) \" & \"VALUES (\'\" & someVariable & \"\', \'\" & someTextBox.Text & \"\');\" Dim cmd As New SqlCommand(sql, myDbConnection

问题 I am very new to working with databases. Now I can write SELECT , UPDATE , DELETE , and INSERT commands. But I have seen many forums where we prefer to write: SELECT empSalary from employee where salary = @salary ...instead of: SELECT empSalary from employee where salary = txtSalary.Text Why do we always prefer to use parameters and how would I use them? I wanted to know the use and benefits of the first method. I have even heard of SQL injection but I don\'t fully understand it. I don\'t