sql-injection

问题 Yesterday I was speaking with a developer, and he mentioned something about restricting the insertions on database field, like, strings such as -- (minus minus). At the same type, what I know is that is a good approach to escape HTML chars like < , > etc. Not -- . Is this true? Do I have to worry about -- , ++ ? Is it more like a myth or old stuff? Update Thanks a lot for all the answers, it's easy to understand like that since I'm kind of new to all of this. Well, to be more specific in this

问题 Yesterday I was speaking with a developer, and he mentioned something about restricting the insertions on database field, like, strings such as -- (minus minus). At the same type, what I know is that is a good approach to escape HTML chars like < , > etc. Not -- . Is this true? Do I have to worry about -- , ++ ? Is it more like a myth or old stuff? Update Thanks a lot for all the answers, it's easy to understand like that since I'm kind of new to all of this. Well, to be more specific in this

问题 Yesterday I was speaking with a developer, and he mentioned something about restricting the insertions on database field, like, strings such as -- (minus minus). At the same type, what I know is that is a good approach to escape HTML chars like < , > etc. Not -- . Is this true? Do I have to worry about -- , ++ ? Is it more like a myth or old stuff? Update Thanks a lot for all the answers, it's easy to understand like that since I'm kind of new to all of this. Well, to be more specific in this

问题 Parameterized Queries in .Net always look like this in the examples: SqlCommand comm = new SqlCommand(@" SELECT * FROM Products WHERE Category_ID = @categoryid ", conn); comm.Parameters.Add("@categoryid", SqlDbType.Int); comm.Parameters["@categoryid"].Value = CategoryID; But I'm running into a brick wall trying to do the following: SqlCommand comm = new SqlCommand(@" SELECT * FROM Products WHERE Category_ID IN (@categoryids) OR name LIKE '%@name%' ", conn); comm.Parameters.Add("@categoryids",

问题 We have a program that allows users to map raw unmodified input data to a standardized final table. In general it's a simple one-to-one match without any special logic needed. For example; raw_table.raw_col_1 will map to final_table.col_1, raw_table.raw_col_2 will map to final_table.col_2, etc. However, one customer wants the ability to have final_table.col_3 to be mapped as follows: case when (raw_col_1 = 'S12' and raw_col_2 = 'D18') or raw_col_3 is not null then raw_col_3 else 'GF17' end

问题 This post is a Community Wiki . Edit existing answers to improve this post. It is not currently accepting new answers. If user input is inserted without modification into an SQL query, then the application becomes vulnerable to SQL injection, like in the following example: $unsafe_variable = $_POST['user_input']; mysql_query("INSERT INTO `table` (`column`) VALUES ('$unsafe_variable')"); That's because the user can input something like value'); DROP TABLE table;-- , and the query becomes:

问题 Is it necessary to do custom cleaning of form data received from fields where the user is limited to selecting from pre-defined valid choices? For example radio buttons, choicefields, etc. I have a situation where a database select is performed but the columns used in that select are defined by the user. The user is presented with pre-defined valid choices (radio buttons, choicefields) which represent table columns. When that form is received do I need to do custom cleaning of that data to

问题 Is it necessary to do custom cleaning of form data received from fields where the user is limited to selecting from pre-defined valid choices? For example radio buttons, choicefields, etc. I have a situation where a database select is performed but the columns used in that select are defined by the user. The user is presented with pre-defined valid choices (radio buttons, choicefields) which represent table columns. When that form is received do I need to do custom cleaning of that data to

问题 Is it necessary to do custom cleaning of form data received from fields where the user is limited to selecting from pre-defined valid choices? For example radio buttons, choicefields, etc. I have a situation where a database select is performed but the columns used in that select are defined by the user. The user is presented with pre-defined valid choices (radio buttons, choicefields) which represent table columns. When that form is received do I need to do custom cleaning of that data to

问题 This question is unlikely to help any future visitors; it is only relevant to a small geographic area, a specific moment in time, or an extraordinarily narrow situation that is not generally applicable to the worldwide audience of the internet. For help making this question more broadly applicable, visit the help center. Closed 8 years ago . I am visiting a site and I mistakenly entered a single quote while I was trying to hit the enter key. The URL that got sent is: http://www.domain.tld