sql="SELECT* FROM tbl WHERE name='+param+"";
With these codes, if the
param contains a string containing a single quotation, for example,
123'456, the generated SQL is
SELECT* FROM tbble WHERE name='123'456'
This results in a syntax error.The same goes for using
format instead of string concatenation
Syntax errors are fine, but
'OR1 with unintended results.This is the so-called SQL injection vulnerability.
To prevent this,
- Use binding mechanism using placeholder
- Escape SQL to the correct form as a string literal when assembling it
One of the is required.
Also, there are other things to be careful about when using RDBMS from the program, so first read the IPA How to Create a Secure Website (https://www.ipa.go.jp/security/vuln/websecurity.html), "How to Call Secure SQL."
339 Scrap text information after the "View More" button when searching in the Yahoo! News search window
345 Who developed the "avformat-59.dll" that comes with FFmpeg?
356 Unity Virtual Stick Does Not Return to Center When You Release Your Finger
367 To Limit Column Values to Strings in a String List Using sqlalchemy
© 2023 OneMinuteCode. All rights reserved.