Most voted "sql-injection" questions
SQL Injection is a type of security threat that takes advantage of failures in systems that interact with databases via SQL. SQL injection occurs when the attacker is able to insert a series of SQL statements within a query (query) by manipulating the data entries of an application.
Learn more…36 questions
Sort by count of
-
199
votes9
answers12451
viewsHow to prevent SQL code injection into my PHP code?
I developed a PHP page for internal use of the company I work with and only very few people use it. Through this page it is possible to make some queries, insertions, changes and removals of data…
-
39
votes3
answers859
viewsI am suffering attacks of type SQL Injection
Ever since I started an online project, I’ve been having problems with hacking, where someone is making direct entries into the database. This is what gave me the initiative to put in all the…
-
38
votes3
answers1203
viewsWhy do parameterized SQL queries (name = ?) prevent SQL Injection?
Why parameterized SQL queries(nome = ?) previnem SQL Injection? Can cite examples?
-
31
votes3
answers1472
viewsHow does an SQL Injection happen?
Why creating parameters for each field that will be updated helps prevent SQL Injection? Example: SqlCommand comm = new SqlCommand("UPDATE Contatos Set Telefone = @Telefone, " + "Cidade = @Cidade, "…
-
17
votes2
answers3105
viewsWhat is the question mark in a query?
Use ? in a query really avoids the SQL Injection? Avoids 100%? I saw this code and I heard many people talking about it, saying it helps in this case and how to use it? Could someone give a better…
-
12
votes2
answers7355
viewsIs it better to parameterize your Preparedstatement even if the value is fixed?
I always read the blog Java Revisited and I’ve been reading the article today Why use Preparedstatement in Java JDBC - Example Tutorial. At a certain point the author talks about parameterization of…
-
7
votes1
answer188
viewsSecurity, what threats besides an SQL Injection do I have to worry about a search field?
I’m getting deeper into web programming (with php) and I have this doubt, I’ve seen some similar things in some places, but going straight to the point I wanted to tell me what are the main security…
php web-application security-guard quest sql-injectionasked 8 years, 8 months ago Rafael Nobrega 194 -
6
votes1
answer368
viewsWhy do they say $_GET in PHP is insecure against sql Injection?
Well, my question is simple. I’ve been hearing a lot of stories lately that $_GET in PHP is insecure against sql Injection. Could you tell me why? Thank you.
-
6
votes2
answers724
viewsmysqli_real_escape_string Prevent SQL Injection?
According to the documentation, the function: Escapes special characters in a string of characters for use in an instruction SQL, taking into account the current character set of the connection. So:…
-
5
votes2
answers2818
viewsBlock javascript and sql-Injection attack on the same string
I am receiving data from a form in php via get. I’m handling the information as follows: $search = mysql_real_escape_string(htmlspecialchars($_GET["t"], ENT_QUOTES, 'UTF-8')); With this I intend to…
-
5
votes2
answers254
viewsExplain in a simpler way what are these attacks?
I would like to know in a more simplified way what these types of attacks are. Keylogger Brute force attack Cryptanalysis of rubber hose Sql Injection And please, if you could go deeper into the…
-
4
votes2
answers5267
viewsHow to damage a website using XSS/SQL Injection?
I’m no kind of hacker, but I know some techniques. I’m training security and I got really thoughtful about it. Every time I inject a script, it’s a alert(), nothing dangerous to the host (for…
-
4
votes2
answers197
viewsHow to detect attempted intrusion?
In order to protect against SQL injection, I need to elaborate a function in which I eliminate the possibility of someone trying to act in bad faith. The question is, mysqli brings with you some…
-
4
votes3
answers714
viewsIs filter_var() sufficient to avoid SQL Injection?
Handling input variables in a Mysql query using filter_var is sufficient to avoid Injection?
-
3
votes1
answer70
viewsHow to protect myself against "Mongoinjection"
Use Mongodb in a front-end application that runs on Node.JS through the Express framework. I would like to know how to create protections against Mongodb "Injection" (similar to sql Injection).…
-
3
votes2
answers258
viewsIs it possible to manipulate SESSION variables to perform SQL Injection?
I’m not an expert on cyber attacks and I have a little doubt about the safety of my projects. Basically one of the ways I prevent injections SQL is creating a function "treatString()", for example,…
-
2
votes1
answer667
viewsAnti SQL Injection (I tried everything but Havij still picks up)
Hello! I’m going through a rough patch, I’ve tried ALL the techniques I found on the Internet that can stop SQL Injection, and yet Havij can get my data. This is the code of the page I’m making the…
-
2
votes1
answer59
viewsDoubt about SQL Injection/mysqli_real_escape_string
I’m having doubts about SQL Injection in PHP. I have a class that has the user object, and there has name, age, etc. Then I put in the variable query something like: insert into…
-
1
votes2
answers9591
viewsHow to avoid SQL Injection in my PHP application?
Explanation: Most applications using PHP, should receive parameters, by $_GET or $_POST and these parameters often become an easy target for users with bad intentions, and this is called SQL…
-
1
votes2
answers357
viewsHow to avoid SQL Injection attack in this query?
In this case, I am passing WHERE through the $Where variable. Can the system undergo SQL Injection? How to avoid it in this case? For example: select nome from usuario where $where; $where = "cod =…
-
1
votes1
answer331
viewsPHP Security - Avoid SQL Injection
It’s wrong or unsafe to use: if ($_SERVER['REQUEST_METHOD'] === 'POST') { foreach ($_POST as $key => $value) $$key = $value; ... } Let’s say I have this code, but use a Procedure call with…
-
1
votes1
answer398
viewsPHP Stored Security XSS and SQL Injection
Is there any security breach or possibility of attacks on the code box below? public static function prepareQuery($query, $params){ $preparedQuery = self::getConn()->prepare($query); foreach…
-
1
votes0
answers32
viewsProblem with SELECT and bindParam()
When adding bindParam() after preparing the query, you are giving an error in execute, which says the following: Fatal error: Uncaught Error: Cannot pass Parameter 2 by Reference in C: xampp htdocs…
-
1
votes0
answers266
viewsAvoid SQL Injection Login Form
Good morning, everyone, I’m new to anti-sql security Injection. I always learned only to validate the inputs and then use them in the query, always with mysqli_query and mysqli_fetch_array. I have…
-
1
votes1
answer414
viewsSql Injection in Stored Procedures
It is possible to carry out injection of SQL in Stored Procedures, especially when calling a Procedure for PDO of PHP? DELIMITER // CREATE PROCEDURE procedureTeste( string VARCHAR(255) ) BEGIN…
-
1
votes0
answers308
viewsAvoid SQL Injection - with PHP and Mysql
When I try to log in to the administration page of the site with ' OR 1=1 -- in the login and password it allows access! I’m trying to use the next function, but I still have access without…
-
0
votes2
answers109
viewsError in SQL syntax - mysqli_real_escape_string
I have a syntax error in my code, but I can’t find my error. That’s the mistake I’m getting: You have an error in your SQL syntax; check the manual that Corresponds to your Mysql server version for…
-
0
votes2
answers6093
viewshow to test with sql Injection
I want to do some tests of sql Injection. For this, I created a db called person and a table called users. I am passing some sql statements to test the ingestion of sql. Gives error, but does not…
-
0
votes1
answer63
viewsI want example of why replacing ' with '' and for parameters of a query is dangerous
I see many posts on this subject, but I do not see any example that has fit for this my case. function sanitize($value) { $val = str_replace("'", "''", $value); $val = str_replace("\\", "\\\\",…
-
0
votes2
answers147
viewsuse of mysqli_prepare prevents major sql Injection attacks
I know that mysqli_prepare shutdown is used to prepare SQL queries and protect them against SQL Injection. I found two pages about SQL Injection:…
-
0
votes2
answers148
viewsHow to protect yourself from malicious entry through a select dropdown?
I own a form with a few options of select, example : <select id="sel1" name="sel1"> <option disabled selected style="display: none">Titulo</option> <option…
-
0
votes0
answers38
viewsIdea for data cleaning and processing library
I need to make a library for data processing, so I can use it before calling functions like: Register, Change, Delete and etc... I am using PDO for communication with the mysql database, and the…
-
0
votes1
answer24
viewsPDO Doubt SQL Injection
I am venturing a little with PDO, still at the beginning, and I have a question regarding a query with SQL Injection, follows it: $insert = "INSERT INTO tabela (campo1, campo2, campo3) VALUES…
-
-1
votes1
answer82
viewsProblem creating SQL INJECTION security
I have a PHP function where I pass the data to it and the same gives an UPDATE in the data. however I am doing security against SQL INJECTION, only that it is not working what would be the problem?…
-
-2
votes2
answers81
viewsWhat’s the risk with this intel?
Speak people, what risk would I take if someone wanted to give an insight into this example: $valorGet = $_GET["valor"]; $sql = "SELECT * FROM tabela WHERE caminho = '$valorGet'"; My question is,…
-
-4
votes0
answers39
viewsWhich of these methods is best to handle a PHP input in order to avoid SQL Injection?
prepare() and bind_param() filter_input filter_sanitize…