sql-injection

Prevent SQL Injection In This PHP Code

不问归期 提交于 2021-02-17 07:17:06
问题 I have the following function that writes into a PostgreSQL database. I need to make it safe from SQL injection however I am not sure how to do that. The part of the query assembled from pg_query_params is safe from injection (or so I have been told) however the other part of the assembled query via PHP's string concatenation . is apparently vulnerable to injection. private function setItem($table, $id, $field, $itemId, $fieldValue){ $_1 = $itemId; $_2 = $fieldValue; $_3 = $field; $_4 =

How to prevent SQL Injections with User-Search-Terms in Vapor 4 (Fluent 4)

不想你离开。 提交于 2021-02-10 12:48:45
问题 I am currently implementing a Vapor 4 application, which will be used to manage machines. The user should be able to search for a machine name, which I accomplished by .filter(Machine.path(for: \Machine.$name), .contains(inverse: false, .anywhere), term) where term is an arbitrary String provided by the user. The code itself works as intended, but I was wondering if there is the possibility of a SQL Injection vulnerability (or other attacks). My Question: Is SQL Injection (or other attacks)

How do I create a prepared statement in Node.JS for MSSQL?

放肆的年华 提交于 2021-02-10 12:16:07
问题 I need to insert a string defined in Javascript into an MSSQL table. This is what I have so far: Javascript: var message = "It's a great day today!"; $.post('www.server.com/message='+message, function(response){ console.log(response); }); Node.js Server: //..... a bunch of code has been used to accept the HTTP request and get the message... // for the purpose of this example, the message is asigned to 'NodeMsg' var mssqldb = require("../core/mssql"); var NodeMsg =

How to block SQL injection attacks by filtering the URL parameters in php?

时光总嘲笑我的痴心妄想 提交于 2021-02-08 12:18:22
问题 I am currently being attacked with a URL of the form: /act/test.php?CourseId=66'+and(%2f**%2fsElEcT+1+%2f**%2ffRoM(%2f**%2fsElEcT+count(*),%2f**%2fcOnCaT((%2f**%2fsElEcT(%2f**%2fsElEcT(%2f**%2fsElEcT+%2f**%2fcOnCaT(0x217e21,ifnull(MailingDate,char(32)),0x217e21)+%2f**%2ffRoM+contin5_Mailing.Customers+%2f**%2flImIt+1400,1))+%2f**%2ffRoM+information_schema.%2f**%2ftAbLeS+%2f**%2flImIt+0,1),floor(rand(0)*2))x+%2f**%2ffRoM+information_schema.%2f**%2ftAbLeS+%2f**%2fgRoUp%2f**%2fbY+x)a)+and+'1'='1

How to block SQL injection attacks by filtering the URL parameters in php?

牧云@^-^@ 提交于 2021-02-08 12:18:02
问题 I am currently being attacked with a URL of the form: /act/test.php?CourseId=66'+and(%2f**%2fsElEcT+1+%2f**%2ffRoM(%2f**%2fsElEcT+count(*),%2f**%2fcOnCaT((%2f**%2fsElEcT(%2f**%2fsElEcT(%2f**%2fsElEcT+%2f**%2fcOnCaT(0x217e21,ifnull(MailingDate,char(32)),0x217e21)+%2f**%2ffRoM+contin5_Mailing.Customers+%2f**%2flImIt+1400,1))+%2f**%2ffRoM+information_schema.%2f**%2ftAbLeS+%2f**%2flImIt+0,1),floor(rand(0)*2))x+%2f**%2ffRoM+information_schema.%2f**%2ftAbLeS+%2f**%2fgRoUp%2f**%2fbY+x)a)+and+'1'='1

How to prevent SQL Injection in PostgreSQL JSON/JSONB field?

白昼怎懂夜的黑 提交于 2021-02-08 05:49:13
问题 How can I prevent SQL injection attacks in Go while using "database/sql"? This solves the single value field problem because you can remove the quotes, but I can't do that filtering a JSON/JSONB field, like in the following because the $1 is considered a string: `SELECT * FROM foo WHERE bar @> '{"baz": "$1"}'` The following works but it's prone to SQL Injection: `SELECT * FROM foo WHERE bar @> '{"baz": "` + "qux" + `"}'` How do I solve this? EDITED after @mkopriva's comment: How would I build

SQL Injection DROP TABLE not working

时间秒杀一切 提交于 2021-02-08 05:34:54
问题 I need to demonstrate SQL Inject using PHP/MySQL. I want to inject a DROP TABLE query in a login form but it never works. (TRUNCATE table works fine OTOH). After I input '; drop table users; # as field input; query turns out to be SELECT * FROM `users` WHERE `email` = ''; DROP TABLE users; #' AND `password` LIKE '3232'; But it never works using mysql_query() function. When I copy/paste this query in PHPmyAdmin directly, it works perfectly and table gets dropped. What can be the issue? 回答1:

If all SQL queries should be prepared to prevent SQL injections, why does the syntax allow non-prepared queries?

自闭症网瘾萝莉.ら 提交于 2021-02-05 07:21:25
问题 Since all SQL queries should be prepared to prevent SQL injections, why are we allowed to write and execute non-prepared queries? Doesn't this seem counterintuitive? 回答1: In cases where the query is a fixed string and does not need any program variables, it's safe to use query() to run it. Here's the example from https://www.php.net/manual/en/pdo.query.php: <?php $sql = 'SELECT name, color, calories FROM fruit ORDER BY name'; foreach ($conn->query($sql) as $row) { print $row['name'] . "\t";

Good prevention from MYSQL injection?

做~自己de王妃 提交于 2021-02-04 08:41:08
问题 So I've made a form where you login from a DB. Code should be self explanatory. private void button1_Click(object sender, EventArgs e) { try { string MyConnection = "datasource=localhost;port=3306;username=root;password=xdmemes123"; MySqlConnection myConn = new MySqlConnection(MyConnection); MySqlCommand SelectCommand = new MySqlCommand("select * from life.players where DBname='" + this.username.Text + "' and DBpass='" + this.password.Text +"' ; ", myConn); MySqlDataReader myReader; myConn

What is the best possible way to avoid the sql injection?

隐身守侯 提交于 2021-01-29 20:50:40
问题 I am using ruby 1.8.7 and rails 2.3.2 The following code is prone to sql injection params[:id] = "1) OR 1=1--" User.delete_all("id = #{params[:id]}") My question is by doing the following will be the best solution to avoid sql injection or not. If not then what is the best way to do so? User.delete_all("id = #{params[:id].to_i}") 回答1: What about: User.where(id: params[:id]).delete_all Ok sorry for Rails 2.x its: User.delete_all(["id = ?", params[:id]]) Check doc Btw, be sure you want to use