sql injection - Parameterized SQL statements vs. very simple method -

-

when started write first sql-statements in programs felt quite comfortable protecting myself against sql-injection simple method colleague showed me. replaced single quotes 2 single quotes.

so example there searchfield in can enter customername search in customertable. if enter

peter's barbershop

the select statement like

select * customers customername = 'peter''s barbershop'

if attacker insert this:

';drop table foo; --

the statement like:

select * customers customername = ''';drop table foo;--'

it not drop table, search customertable customername ';drop table foo;-- which, suppose, won't found ;-)

now after while of writing statements , protecting myself against sql-injection method, read many developers use parameterized statements, never read article "our" method used. there reason it.

what scenarios parameterized statements cover our method doesn't? advantages of parameterized statements compared our method?

thanks
philipp

the parametrized queries has more proc defence sql-injection.

  1. it solves problem date & time formating & parsing.
  2. you can prepare execution plan parametrized query.
  3. the sql-injection protection.

i can't remember pros :).

however way "double every quotes" has problem fields limited character length.

for example:

  • the page has box "nickname" can 10 character long.
  • the user insert "don't care" - exact 10 characters.

now if double quotes, value has 11 characters , database "cut" it, , got value in db user typed.

so recommend parameters.


Comments

Post a Comment

Popular posts from this blog

javascript - Enclosure Memory Copies -

-
function myclass() { //lots , lots of vars , code here. this.bar = function() { //do numerous enclosed myclass vars } this.foo = function() { alert('hello'); //don't enclosed variables. } } each instance of myclass gets own copy of bar , foo, why prototyped methods use less memory. however, know more memory use of inner methods. it seems obvious me (1) below must true. agree? not distinct myclass instances have own distinct copies of bar, must have own distinct copies of myclass enclosure. (or else how bar method keep myclass variables straight on per instance basis?) now (2) question i'm after. since inner foo method doesn't use in myclass enclosure natural qustion is: javascript smart enough not keep myclass enclosure in memory use of foo? this depend entirely on implementation not language. naive implementations keep far more around others. answer true e.g. v8 (chrome's js engine) may not true spider...
Read more

php - Replacing tags in braces, even nested tags, with regex -

-
example preg_replace('/\{[a-za-z.,\(\)0-9]+\}/', 'replaced', 'lorem ipsum dolor sit {tag1({tag2()})}, consectetur adipiscing elit.'); the result: lorem ipsum dolor sit {tag1(replaced)}, consectetur adipiscing elit. question as can see "tag2" has been replaced, want replace "tag1" know how can this? (in cases might this: {tag1({tag2({tag3()})})}) , on.) btw using preg_replace_callback, easier show preg_replace here site can test code: http://www.spaweditor.com/scripts/regex/index.php you need add curly braces character set. here's pattern used: /\{[a-za-z.,\(\)\{\}0-9]+\}/ and here result: "lorem ipsum dolor sit replaced, consectetur adipiscing elit."
Read more