sql-injection

问题 I need the following code to be rewritten by avoiding SQL Injection in Rails 3. some_table_name.joins("inner join #{table_name} on linked_config_items.linked_type = '#{class_name}' and linked_config_items.linked_id = #{table_name}.id"). where("#{table_name}.saved is true and #{table_name}.deleted_at is null") Here, table_name is dynamic and it will vary. 回答1: SQL identifiers like table names and column names cannot be replaced with bound parameters, which is the more common method to ensure

问题 This question already has answers here : Closed 7 years ago . Possible Duplicate: Sanitize table/column name in Dynamic SQL in .NET? (Prevent SQL injection attacks) I have a query like so: "SELECT * FROM MyTable_" + myID + " WHERE variable = @variable"; The SQL Parameterization works with variables, but how do I get it to work with table names? myID is an int I get passed in and changed (can be converted to string), but how do I protect against sql injections here? 回答1: I question why you are

问题 If my site ever goes live (don't think it will, its just a learning exercise at the moment). I've been using mysql_real_escape_string(); on data from POST, SERVER and GET. Also, I've been using intval(); on strings that must only be numbers. I think this covers me from sql injection ? Correct? Can i do more? But, I'm not sure how it provides (if it provides any protection at all) from XSS injection ? Any more information on how to combat these two forms of attacks is appreciated. 回答1: I think

问题 I have this bigQuery example code: List<TableRow> rows = executeQuery( "SELECT TOP(corpus, 10) as title, COUNT(*) as unique_words Where country = 'USA' " + + "FROM [publicdata:samples.shakespeare]", bigquery, PROJECT_ID); If i want to safely inject the country to that string how can i do that? I want to avoid the risk of sql injection and this is risky: public void foo(String countryParam) { List<TableRow> rows = executeQuery( "SELECT TOP(corpus, 10) as title, COUNT(*) as unique_words Where

问题 This question is unlikely to help any future visitors; it is only relevant to a small geographic area, a specific moment in time, or an extraordinarily narrow situation that is not generally applicable to the worldwide audience of the internet. For help making this question more broadly applicable, visit the help center. Closed 6 years ago . I need to achieve function below public PartyDetails GetAllPartyDetails(string name) { try { String query = "select * from [Party Details] where name=

问题 This question is unlikely to help any future visitors; it is only relevant to a small geographic area, a specific moment in time, or an extraordinarily narrow situation that is not generally applicable to the worldwide audience of the internet. For help making this question more broadly applicable, visit the help center. Closed 6 years ago . I need to achieve function below public PartyDetails GetAllPartyDetails(string name) { try { String query = "select * from [Party Details] where name=

问题 I've a simple registration form on my localhost (still testing), and I am wondering if it can be attacked by SQL injection? Code: $name = mysql_real_escape_string($_POST['name']); $password = mysql_real_escape_string($_POST['password']); $password = md5($password); $email = mysql_real_escape_string($_POST['email']); $refId = $_GET['refid']; $ip = $_SERVER['REMOTE_ADDR']; $add = mysql_query("INSERT INTO `users` (`name`, `password`, `email`, `refId`, `ip`) VALUES('$name','$password','$email','

问题 I'm trying to figure out a good easy way to avoid SQL Injection and so far I've only been able to come up with two ideas: Base64 encode the user input (Don't really want to do this) Use regex to remove unwanted characters. (Currently using this, not sure if it's 100% safe) Here is my current code: <?php $hash = $_GET['file']; if (isset($hash)) { $db = new SQLite3("Files.db"); if ($db != null) { $hash = preg_replace('/[^A-Za-z0-9 _.\-+=]/', '_', $hash); if ($response = $db->query("SELECT [FILE

问题 I can't get away without writing some dynamic sql conditions in a part of my system (using Postgres). My question is how best to avoid SQL Injection with the method I am currently using. EDIT (Reasoning): There are many of columns in a number of tables (a number which grows (only) and is maintained elsewhere). I need a method of allowing the user to decide which (predefined) column they want to query (and if necessary apply string functions to). The query itself is far too complex for the

问题 I can't get away without writing some dynamic sql conditions in a part of my system (using Postgres). My question is how best to avoid SQL Injection with the method I am currently using. EDIT (Reasoning): There are many of columns in a number of tables (a number which grows (only) and is maintained elsewhere). I need a method of allowing the user to decide which (predefined) column they want to query (and if necessary apply string functions to). The query itself is far too complex for the