SQL injection..

What do u know about structured query language

  • Intercept with php

    Votes: 2 28.6%

  • Much

    Votes: 2 28.6%

  • Much more

    Votes: 4 57.1%

  • Much more

    Votes: 2 28.6%
  • Total voters
    7
mud-oil-chafu

mud-oil-chafu

JF-Expert Member
Dec 27, 2020
588
950
SQL Injection (SQLi) is a type of an injection attack that makes it possible to execute malicious SQL statements. These statements control a database server behind a web application. Attackers can use SQL Injection vulnerabilities to bypass application security measures. They can go around authentication and authorization of a web page or web application and retrieve the content of the entire SQL database. They can also use SQL Injection to add, modify, and delete records in the database.

An SQL Injection vulnerability may affect any website or web application that uses an SQL database such as MySQL, Oracle, SQL Server, or others. Criminals may use it to gain unauthorized access to your sensitive data: customer information, personal data, trade secrets, intellectual property, and more. SQL Injection attacks are one of the oldest, most prevalent, and most dangerous web application vulnerabilities. The OWASP organization (Open Web Application Security Project) lists injections in their OWASP Top 10 2017 document as the number one threat to web application security.
 
Use of latest technology, Use of Frameworks, improve security measures can reduce/prevent SQL injection.

Language: Python
Framework: Django- Framework
Database: Postgress

No SQL injection at all
 
mzizi1 said:
Use of latest technology, Use of Frameworks, improve security measures can reduce/prevent SQL injection.

Language: Python
Framework: Django- Framework
Database: Postgress

No SQL injection at all
Click to expand...
Is the python language in back end dvlp
 
mud-oil-chafu said:
Is the python language in back end dvlp
Click to expand...
Yeah sure, Python (Django-Framework) enables you to develop almost the entire system using only one Language (Python), starting from Database design (use of Models), developing system logics, also display output to the user (Django Template Language),
Once you use python Framework, you won't use Structured Query Language, hence No SQL injection at all
 
mzizi1 said:
Yeah sure, Python (Django-Framework) enables you to develop almost the entire system using only one Language (Python), starting from Database design (use of Models), developing system logics, also display output to the user (Django Template Language),
Once you use python Framework, you won't use Structured Query Language, hence No SQL injection at all
Click to expand...
The latest Very Higher Level Language and most marketable Language in the world. And Easiest Language to Learn is .py
 
mud-oil-chafu said:
I was only concetrating on php and SQL for back end....but nshaamua lugha nlizosoma znatosha so python Sina tyme nayo
Click to expand...
Kuna ukweli ndani yake hasa kama kazi za php ziko nyingi eneo lako mfano pia kwa freelancing unaweza specialize kama php developer.

Mimi nafikiri kama kuna level ya lugha kadhaa umefikia basi tumia hizo hizo labda kama kuna ulazima maana unaweza adapt swala la sql injection hata ufanye nini kama haujielewi bado unalo.

MK254
 
Kuna module moja naiandika ya PDO kufanya db connection na ku run queries securely.
module itakua very save kutakua na functions unazi call kufanya connection and sanitization, filtering everything xss, SQLi
ntaituma hapa
 
mzizi1 said:
Use of latest technology, Use of Frameworks, improve security measures can reduce/prevent SQL injection.

Language: Python
Framework: Django- Framework
Database: Postgress

No SQL injection at all
Click to expand...
Haha napenda MongoDb na NodeJs... But i swear php will still exist kama C alivosema Dennis Ritchie
 
Degree yangu Ina C Programming, java, na PHP,
Python nimesoma mwenyewe bila kufundishia na mtu, coz nilikua naijua sana C Programming.

Hapa nilipoajiliwa nilipata nafasi kubwa kozi of additional skills ambayo ni Python na sasa tunadevelop project zote za organization kwa Python. Amini tu katika unachokifanya ila make sure ni sahihi
 
What if:

PHP: 
//Array yenye data zinazotakiwa tu
$nataka_hawa_tu = array('Mbwa', 'Paka', 'Mbuzi');

//Block inayo validate kilichoingia kupitia <option> tags na kulinganishwa na data ziizoko kwenye array
if(!in_array($_POST['viumbe'], $nataka_hawa_tu)) {
    $shida['viumbe'] = 'Weee!, embu chagua viumbe vinavyotakiwa tu';
}
//Baada ya hapo wanadefine variable inayochukua validated data
$kilichopita = $_POST['viumbe'];

//Mwisho wanaingiza kwenye database
$unganisha = new Unganisha;
$hifadhi = $unganisha -> prepare('INSERT INTO viumbe (kiumbe) VALUES (?)');
$hifadhi -> execute([$kilichopita]);
 
mathsjery said:
What if:

PHP: 
//Array yenye data zinazotakiwa tu
$nataka_hawa_tu = array('Mbwa', 'Paka', 'Mbuzi');

//Block inayo validate kilichoingia kupitia <option> tags na kulinganishwa na data ziizoko kwenye array
if(!in_array($_POST['viumbe'], $nataka_hawa_tu)) {
    $shida['viumbe'] = 'Weee!, embu chagua viumbe vinavyotakiwa tu';
}
//Baada ya hapo wanadefine variable inayochukua validated data
$kilichopita = $_POST['viumbe'];

//Mwisho wanaingiza kwenye database
$unganisha = new Unganisha;
$hifadhi = $unganisha -> prepare('INSERT INTO viumbe (kiumbe) VALUES (?)');
$hifadhi -> execute([$kilichopita]);
Click to expand...
Code: 
<?php
/*
PDO CONNECTION
Written By thegreatwizard
*/
$host = 'localhost';
$user = 'root';
$pass = '';
$db = 'mydb';
try{
$DBH = new PDO("mysq:host=$host;dbname=$db", $user, $pass);
$DBH->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$name = 'juma'; $addr = 'Kisutu';
$STH ->prepare('INSERT INTO users (name, addr)');
$STH->bindParam(1, $name); $STH->bindParam(1, $arr);
$STH->execute();
}catch(PDOException $E){


file_put_contents('log.html', $E->getMessage(), FILE_APPEND);

}

?>
 
the great wizard said:
Code: 
<?php
/*
PDO CONNECTION
Written By thegreatwizard
*/
$host = 'localhost';
$user = 'root';
$pass = '';
$db = 'mydb';
try{
$DBH = new PDO("mysq:host=$host;dbname=$db", $user, $pass);
$DBH->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$name = 'juma'; $addr = 'Kisutu';
$STH ->prepare('INSERT INTO users (name,addr)');
$STH->bindParam(1, $name); $STH->bindParam(1, $arr);
$STH->execute();
}catch(PDOException $E){


file_put_contents('log.html', $E->getMessage(), FILE_APPEND);

}

?>
Click to expand...
Umerefusha code zako mkuu na pia zina error hukuwa na haja ya kubind parametor in old way kuna mahali utumika ila what if you do the same as me and do not forget your database connection.


Code: 
$STH = $DBH ->prepare('INSERT INTO users (name, addr) VALUES(?,?)'); //Add placeholder and execute those value(remember to filter them before execution
$STH->execute([$name, $addr]);//it is enought
 
Sah, nyie jamaa mnanitamanisha sana yaani na hizi programming skills. Binafsi nina knowledge kidogo na C, C++ na Paschal programming languages, vipi muongozo niendelee vipi? Natamani kuwa programmer mzuri.
 
mathsjery said:
What if:

PHP: 
//Array yenye data zinazotakiwa tu
$nataka_hawa_tu = array('Mbwa', 'Paka', 'Mbuzi');

//Block inayo validate kilichoingia kupitia <option> tags na kulinganishwa na data ziizoko kwenye array
if(!in_array($_POST['viumbe'], $nataka_hawa_tu)) {
    $shida['viumbe'] = 'Weee!, embu chagua viumbe vinavyotakiwa tu';
}
//Baada ya hapo wanadefine variable inayochukua validated data
$kilichopita = $_POST['viumbe'];

//Mwisho wanaingiza kwenye database
$unganisha = new Unganisha;
$hifadhi = $unganisha -> prepare('INSERT INTO viumbe (kiumbe) VALUES (?)');
$hifadhi -> execute([$kilichopita]);
Click to expand...
so long as your query has (?) your vulnerable to sql injectionn
 
You must log in or register to reply here.

Similar Discussions

Back
Top Bottom
Forums
New posts
Post thread
Back