A Deeper Look at SQL Injection

1. What is SQL injection?

Sql injection is an attack method that adds sql code to the input parameter and passes it to the Sql server for parsing and execution.

2. How did it come about?

Web developers cannot guarantee that all input is sanitized

The attacker constructs executable SQL code using the input data sent to the SQL server

The database is not configured for security

3. How to find SQL vulnerabilities?

Identify all input points in a web application

Understand what types of requests trigger exceptions? (special characters " or ')

Detect anomalies in server responses

4. How to perform SQL injection attack?

Digital Injection:

Select * from tablename where id=1 or 1=1;

String injection:

MySQL's comment feature:

The characters after # and -- are commented out, so no matter what password is entered, it can be queried correctly. Please click here to enter image description

5. How to prevent SQL injection?

Strictly check the input format: is_numeric(var), tp5 validate verification, and use regular expressions to check whether the string is between [A-Za-z]

Escape: addslashes(str),

mysqli_escape_string() function to escape

6.MySQLi's precompilation mechanism

Parameterized Binding

Parameterized binding is another barrier to prevent SQL injection. PHP MySQLi and PDO both provide such functionality. For example, MySQLi can query like this:

PDO is even more convenient, for example:

You may also be interested in:

Java interview question analysis: judgment and prevention of SQL injection
SQL injection principles and solution code examples
Solve SQL injection problems through ibatis
Win2003 server anti-SQL injection artifact--D shield_IIS firewall
Sql injection tool_PowerNode Java Academy
Introduction to the Principle of Sql Injection_PowerNode Java Academy
How to find websites with SQL injection (must read)
Share a simple sql injection
Mybatis prevent sql injection example
Several solutions to prevent SQL injection when using Hibernate
Summary of 5 effective ways to prevent SQL injection
Summary of file reading and writing methods in SQL injection

<<: How to generate a free certificate using openssl

>>: How to write memory-efficient applications with Node.js

js to achieve the complete steps of Chinese to Pinyin conversion

A Deeper Look at SQL Injection

js to achieve the complete steps of Chinese to Pinyin conversion

How to deploy Go web applications using Docker

Detailed Tutorial on Installing VirtualBox 6.0 on CentOS 8 / RHEL 8

How to modify the group to which a user belongs in Linux

CSS3 realizes the website product display effect diagram

Using JavaScript difference to implement a comparison tool

This article tells you how to use event delegation to implement JavaScript message board function

Detailed explanation of JavaScript program loop structure

Two methods to implement MySQL group counting and range aggregation

How are Vue components parsed and rendered?

Recommend

How to build lnmp environment in docker

Detailed explanation of value transfer between parent and child components in Vue3

Sample code for cool breathing effect using CSS3+JavaScript

The way to represent colors in HTML is by using 6-digit hexadecimal codes, RGB or keywords.

Example code for implementing the wavy water ball effect using CSS

How to change the MySQL database file directory in Ubuntu

Detailed explanation of the abbreviation of state in react

Detailed tutorial on installing Docker and nvidia-docker on Ubuntu 16.04

Detailed explanation of the difference between WeChat applet bindtap and catchtap

Solution to the problem of flash back after entering the password in MySQL database

MySQL 5.7.23 decompression version installation tutorial with pictures and text

Vue implements the right slide-out layer animation

Vue application example code based on axios request encapsulation

Explanation of using if judgment conditions in sum and count functions when using SQL statements to collect data

React implements the sample code of Radio component