I am using prepared statements with mysqli(); to insert and retrieve data on my website also i used bind_param so i don't add variables directly into the query.I used strip_tags to clean any inputs what else should i look out for ?
Don't use strip_tags() on database input: use htmlentites() (or urlencode() where appropriate) on browser output.
Related
I am dynamically creating mysql statements in Node JS using the mysql2 library to retrieve and store data,
I recently began getting a bug 'Can't create more than max_prepared_stmt_count statements (current value: 16382)'
After doing some digging I realised I was not using placeholders within my statements and thus cached statements were not closed, as I begun changing my code to utilise the placeholders to prevent this I also realised that you can not use placeholders for the names of schema objects.
An example of many is:
let obj = await pool.execute(select * from + config_schema + .parameters);
Firstly I am unsure if this will be contributing to my prepared statements, and secondly if there is a better way to do what I am trying to achieve.
Any help/advice is greatly apricated!
Using .query() instead of .execute resolved this issue as .execute() in this library will prepare statements.
I need help with Get Statements and Running on a site on PHP
I have this a my PHP code
This is how I save it but it only saves username ...
http://example.com/NC0.php?U=namehere
I have tried this below but it doesn't work
http://example.com/NC0.php?U=namehere?P=passhere
How can I make it like........ NC0.php?U=namehere?P=passhere
or something similar thanks!!!
You are using the ? multiple times. It is meant to start the query! To have multiple parameters in the URL you use the & symbol to differentiate the parameters.
For example,
http://example.com/NC0.php?U=namehere&P=passhere
I have an HTML form that I'm using to submit some SQL data. I'd like to pass the MYSQL function LAST_INSERT_ID() as a value but when I do this there are single tick marks that get added the the function upon insert and it fails, like this 'LAST_INSERT_ID()'.
I want to be able to use this function so I can call what that ID was.
Is it possible to pass this function successfully?
No, you can't pass SQL code instead of values and have it automatically executed on the server.
(Can you imagine how that could have been used by someone with not so good intentions...?)
You could send a special "magic" value, that the code on the server would recognise, and change the query to use last_insert_id() for the value. (You could use the function name as magic value, but you should probably use something less obvious.)
To insert code in a query like that, you need to create the SQL query dynamically. When you create queries dynamically, make sure to escape values properly so that the code isn't open to SQL injection attacks.
I am using Ruby on Rails 3.2.2 and I am running the following raw SQL:
sql = "INSERT INTO articles (`title`, `user_id`) VALUES #{inserts.join(", ")}"
ActiveRecord::Base.connection.execute(sql)
However, I would like to use the Ruby on Rails exec_insert method but there isn't good documentation about that. So, how can I use the exec_insert method so to make the same thing I stated above (maybe using something like Article.connection.exec_insert(...))?
You can use exec_query for this
ActiveRecord::Base.connection().exec_query('INSERT INTO articles(title, user_id) VALUES($1, $2)', 'someQueryName', [[nil, title], [nil, user_id]])
Please note that I have used and tested $1, $2 for Postgres only as $1,$2 is the convention used for binding prepare query in postgres.
It maybe different for MySql & other databases. For Mysql I think it should be ? instead of $1, $2 etc, it depends on how the database offers binding
Also you might have to set prepare_query: true for some. Refer -http://api.rubyonrails.org/classes/ActiveRecord/ConnectionAdapters/DatabaseStatements.html#exec_query
exec_insert is an internal method and probably isn't what you want here. What you have should be fine.
If you're really set on using it, and need examples, the test suite possibly the best place to find them. One example is here.
I am using kohana 2.3.4, I have a text area for "Embed Google Map Code", the system automatically strips the Iframe tag and not inserted on the database. here's my code snippet for inserting/updating:
$this->db->query("UPDATE tbl_sites SET map_code='$_POST[map_code]' WHERE id=$id");
My guess is that you are forgetting the quotes when indexing into the $_POST array. Try this:
$this->db->query("UPDATE tbl_sites SET map_code='{$_POST["map_code"]}' WHERE id={$id}");
You should also make sure to sanitize the values coming from the $_POST array before using it in a query.
That query looks dodgy, but if you're certain it's updating the record correctly, and Kohana is only stripping the iframe, then perhaps this is an issue with XSS filtering.. have you tried to turn off global XSS filtering? http://docs.kohanaphp.com/general/security#cross_site_scripting_xss