Is SQL injection possible without double and single quotes?

Suppose we build an Aql query as follows:
SELECT * FROM user WHERE username = & # 39; username & # 39; AND password = & # 39; password & # 39;

If we blocked the characters (") and (& # 39;), will an attacker ever be able to?

Here is my regex statement /["']/ and if there are matches, the request is blocked. I also try to avoid the use of mysqli to prepare.

object-oriented – Manage dependencies in Ruby class using injection

I'm working on creating a class to create a PDF form application with attacked documents and sending that file to an endpoint in Box Api. I have found extremely difficult dependencies in this class. For example, I use a gemineine_pdf.

This gemstone has the following abilities, burden in a pdf and analyze a File. However, these are classes for themselves. Instantiate such an object pdf = CombinePdf.new will not give me access pdf.parse (file) or pdf.load (file), That will not work and that's why I'm here and created a dependency on CombinePDF.parse and CombinePdf.load,

The same applies to the use of shrimp. When I go over @pdf_prawn = Shrimp :: Document.new When I try to add @pdf_prawn (page_size: & # 39; LETTER & # 39 ;, margin: 0) It will not work, so I have to be dependent on an external class in my class.

Here's the class I'm trying to get rid of dependencies:

Class PDFProducer
attr_reader: box ,: pdf_prawn ,: pdf,: formstack

FORMSTACK_NAME_PATTERN = / first  = (. *)  Nlast  = (. *) /
PATH_OF_PARSED_PDF_FILE = & # 39; / app / tmp / pdfs / & # 39; .freeze
PDF_PAGE_WIDTH = 612
PDF_PAGE_LENGTH = 792

def initialize (args)
@box = args.fetch (: box, BoxApi.new)
@pdf_prawn = args.fetch (: pdf_prawn, Prawn :: Document.new)
@pdf = args.fetch (: pdf, CombinePDF.new)
@formstack = args.fetch (: formstack, FormStack :: Form.new)
The End

# Retrieve submitter IDs and metadata as a JSON array of objects.
# TODO add formstack_submissions_ids and approved_submission
def formstack_submissions
unless @formstack.submissions['status'] == & # 39; Error & # 39;
submissions = @ formstack.submissions['submissions']
      approved_submission (submissions) .map {| Submission | submission.fetch (& # 39; id & # 39;)}
otherwise
"increase formstack: #{@formstack.submissions"['error']} "
The End
The End

def approved_submission (submission)
submission.select do | filing |
submission['approval_status'] == & # 39; Approved & # 39;
The End
The End

def parse_into_scrie_pdf
formstack_submissions_from_id
.map {| filing | pdf_scrie_application (template)}
The End

def formstack_submissions_from_id
formstack_submissions.map {| id | formstack_submission (id)}
The End

# Receive user data by delivery ID
def formstack_submission (submission_id)
@formstack.submission (submission_id)
The End

def formstack_fields
@formstack.create_form
The End

# In the User Submission JSON fill in the PDF form with the user data.
# Create a CombinePDF object to create a PDF package application
# Get attached attachments by downloading them from the box.
# Convert the image to a string using StringIO to use prawn.
# Convert the image to PDF with Prawn and add it to the PDF package (CombinePDF).
def pdf_scrie_application (submission)
user_data = Submission['data']
    Filename = name_file (submission)
pdf_path = PdfScrie.new (user_data, formstack_fields) .export (filename)
@pdf << CombinePDF.load (pdf_path)
application_notes = Notes (user data)

@ box.attach_docs_from_submission (user_data) .each | File |
data = @ box.client.download_file (file)
is_pdf = (data = ~ /%PDF-d+.?d+/) == 0
package = ""

unless, is_pdf
format_image = StringIO.new (data)
package = pdf_document_package (format_image)
The End

@pdf << CombinePDF.parse (package)
The End

add_notes_page_to_pdf_package (@pdf, application_notes) when using application_notes

@ pdf.save pdf_path
@ box.upload_file_to_box (pdf_path, pdf_path)
The End

def parse_name (name)
name.match (FORMSTACK_NAME_PATTERN) .captures.join (& # 39; & # 39;
The End

def format name (name)
name.parameterize.underscore
The End

def name_from_submission (submission)
submission["data"].detect {| field_set |
field_set["field"] == name_field}["value"]
  The End

def name_file (template)
unparsed_name = name_from_submission (submission)
parsed_name = Parsyname (unparsed_name)

Format name (Parsed_Name)
The End

def name_pdf_file (pdf_file_path)
pdf_file_path.gsub (PATH_OF_PARSED_PDF_FILE, & # 39; & # 39;
The End

def add_path_to_file_name (filename)
"# {PATH_OF_PARSED_PDF_FILE} # {filename}"
The End

def name_field
formstack_fields.find {| f | f["label"] == "customer name"}. Fetch ("id") || ""
The End

Def references (user_submission)
notes_field = user_submission.find {| field | field['field'] == notes_section_id}
notes_field & .fetch (& # 39; value & # 39;)
The End

def notes_section_id
notes = "use_the_space_below_to_add_notes_to_this_application"
formstack_fields.find {| field | field["name"] == notes} .fetch ("id")
The End

def add_notes_page_to_pdf_package (pdf, notes)
@pdf_prawn.text notes
@pdf << CombinePDF.parse (@pdf_prawn.render)
The End

def pdf_document_package (string_image)
pdf_blank_pages.image (
string_image,
fit: [
        PDF_PAGE_WIDTH,
        PDF_PAGE_LENGTH
      ],
Position :: middle
)
pdf_blank_pages.render
The End

def pdf_blank_pages
Shrimp :: Document.new (page_size: & # 39; LETTER & # 39 ;, margin: 0)
The End
The End

Dependency injection – Component test for a method in a class that uses constructor DI (prism)

So the problem is that the IEvent aggregator is part of the prism. Therefore, each of your objects that use it depends on this library.

That's not really a problem with the device tests. It does not matter if they refer to some additional libraries.

However, if you want to use the same objects in a Web version of your application. Then the prism library would be uncomfortable and no longer necessary.

Keep your business objects separate from the implementation of the logic that requires specific libraries.

In this case, for example, you can use Prizm in your view models. You are bound to your WPF app, which in turn uses Prisma. However, you want your models and interfaces to be free of prism references.

PS. Of course, as with any "best practice," you can cut corners where it makes sense

Dependency injection – Use a class to call a custom Drush service

I've created a Drush service and can use it on the command line, but I'm trying to use dependency input to use it from another class. However, it means that the service can not be found. (From public function __construct) All other regular services can be injected and used, with the exception of the Drush service. Can I inject Drush services? Are the injections different from other injection dependencies?

I've added the changes to the composer, json {extra}, drush.services.yml, and the Commands.php file. Everything works except dependency injection.

I use Drupal 8, Drush 9

Many Thanks,

SQL injection that bypasses the site's firewall and filters the table for its prefix

There is a website I check for security breaches. It has Joomla 1.5.x with MySQL 5.5.24 and PHP 5.3.2.

Is there a way to do a successful SQL injection when WAF filters all injections with table name prefix: … UNION SELECT * FROM Prefix__Table name?

That did not work, for example:
... UNION SELECT * FROM prefi / ** / x__tablename

SQL Injection – How to retrieve restricted entries using SQL Map?

I have 1 table (eg: user) with more than 1 million entries.
But if I try Sqlmap with --Begin and --stop it does not work.

For example, the query is:

sqlmap.py -u http://abcd.com/index.php?id=1 -D data -T tables --start 1100000 --stop 1200000 --dump

I've tried many times, but only get results like this:

[03:35:01] [WARNING]    An error has occurred with the full UNION technique (possibly due to a limitation on the retrieved number of entries). Resorting to partial UNION technology
[03:35:01] [WARNING]    For data recovery problems, it is recommended that you use a -no-cast or -hex switch.

If I ask:

sqlmap.py -u http://abcd.com/index.php?id=1 -D data -T tables --dump

Results as follows:

[03:47:25] [INFO]    The backend DBMS is MySQL

Web application technology: Apache, PHP 5.5.38
Backend DBMS: MySQL> = 5.0.12
[03:47:25] [INFO] Retrieve columns for the & # 39; user & # 39; in the database & # 39; xxxxxx & # 39;
[03:47:26] [INFO] Get entries for the & # 39; user & # 39; in database & xxxxxx & # 39;
[03:48:19] [ERROR] Invalid data for declared content encoding & # 39; gzip & # 39; detected (& # 39; size too big & # 39;
[03:48:19] [WARNING] Disable page compression
[03:48:45] [WARNING] big answer recognized. This could take a while

How can I output all data?
Thank you for watching.!

Unity – is dependency injection a must in Unity3d engine?

When I was looking for some DI on the internet, I found that dependency injection is something that can be easily done by Singleton Pattern. However, there are two completely different approaches to this problem. As some people say, it only adds complications to the project, but some say it's a great tool to decouple classes and codes, and certainly there's zenject, which was developed specifically for Unity 3D.

Get plugin definition methods with dependency injection

I've defined a custom plugin type for the first time.
I think this could be an upcoming event in Drupal, but I could not find any documentation anywhere.

I want to get plugin definition methods from the controller.

I use this code to get plugin definitions:

$ type =  Drupal :: service (& # 39; plugin.manager.task & # 39;);
$ plugin_definitions = $ type-> getDefinitions ();

And that gives me a bunch of definitions with plugin ID, class and name.

What I want is to get methods from the definition class.

I do not know if I should create a service for each plugin definition, but that does not seem like a good idea.

Does Drupal Core have tools to do this?

Hope you understand.

Microsoft CRM Injection – Information Security Stack Exchange

There are different injection types, namely sqli, htmli, xmli etc.

I tested an application that accepts user input and is processed by CRM. I am completely new to it. However, go through what CRM here means from Microsoft documents and forums.

It looks similar to XML. I've tried a lot to break the query (like SQLI) to get data. Example query as shown here

My question is:-

1) Has anyone ever come to exploit this? Is it even usable?

2) If so, how and what useful links to continue?

What type of attack is the SQL injection below?

Today I saw something like this in my access log

It's an SQL injection attack, but I can not figure out what the end user is trying to do

something.html oder or (1,2) = (select * from (select name_const (CHAR (103,119,111,107,69,82,84,99,118), 1), name_const (CHAR (103,119,111,107,69,82,84, 99,118), 1)) a) -? X & # 39; = & # 39; x.html

And also the ASCII representation of the characters corresponds to "gwokERTcv". What does that mean?