A Deeper Look at SQL Injection

1. What is SQL injection?

Sql injection is an attack method that adds sql code to the input parameter and passes it to the Sql server for parsing and execution.

2. How did it come about?

Web developers cannot guarantee that all input is sanitized

The attacker constructs executable SQL code using the input data sent to the SQL server

The database is not configured for security

3. How to find SQL vulnerabilities?

Identify all input points in a web application

Understand what types of requests trigger exceptions? (special characters " or ')

Detect anomalies in server responses

4. How to perform SQL injection attack?

Digital Injection:

Select * from tablename where id=1 or 1=1;

String injection:

MySQL's comment feature:

The characters after # and -- are commented out, so no matter what password is entered, it can be queried correctly. Please click here to enter image description

5. How to prevent SQL injection?

Strictly check the input format: is_numeric(var), tp5 validate verification, and use regular expressions to check whether the string is between [A-Za-z]

Escape: addslashes(str),

mysqli_escape_string() function to escape

6.MySQLi's precompilation mechanism

Parameterized Binding

Parameterized binding is another barrier to prevent SQL injection. PHP MySQLi and PDO both provide such functionality. For example, MySQLi can query like this:

PDO is even more convenient, for example:

You may also be interested in:

Java interview question analysis: judgment and prevention of SQL injection
SQL injection principles and solution code examples
Solve SQL injection problems through ibatis
Win2003 server anti-SQL injection artifact--D shield_IIS firewall
Sql injection tool_PowerNode Java Academy
Introduction to the Principle of Sql Injection_PowerNode Java Academy
How to find websites with SQL injection (must read)
Share a simple sql injection
Mybatis prevent sql injection example
Several solutions to prevent SQL injection when using Hibernate
Summary of 5 effective ways to prevent SQL injection
Summary of file reading and writing methods in SQL injection

<<: How to generate a free certificate using openssl

>>: How to write memory-efficient applications with Node.js

Detailed explanation of MYSQL database table structure optimization method

A Deeper Look at SQL Injection

Detailed explanation of MYSQL database table structure optimization method

What are the differences between var let const in JavaScript

Introduction to the use of the indeterminate property of the checkbox

The pitfalls encountered when learning Vue.js

MySQL InnoDB tablespace encryption example detailed explanation

One minute to experience the smoothness of html+vue+element-ui

MySQL uses frm files and ibd files to restore table data

Vue3 realizes the image magnifying glass effect

Introduction to the graphic composition and typesetting capabilities of web design

Detailed explanation of Nginx static service configuration (root and alias instructions)

Recommend

Summary of MYSQL full backup, master-slave replication, cascading replication, and semi-synchronization

Python virtual environment installation and uninstallation methods and problems encountered

URL Rewrite Module 2.1 URL Rewrite Module Rule Writing

CSS+HTML to implement Skeleton Screen loading placeholder animation effect (with animation)

Some CSS questions you may be asked during an interview

How to use the WeChat Mini Program lottery component

Detailed steps for setting up a nexus server

Understand the basics of Navicat for MySQL in one article

Docker online and offline installation and common command operations

The process of deploying and running countly-server in docker in win10

Detailed explanation on how to avoid the pitfalls of replacing logical SQL in MySQL

How to use the flash plug-in to call the PC's camera and embed it into the TML page

Public free STUN servers

Implementation of Docker deployment of SQL Server 2019 Always On cluster

Simple example of using Docker container