Shulou(Shulou.com)05/31 Report--

This article mainly introduces how to prevent SQL injection, the article is very detailed, has a certain reference value, interested friends must read it!

When many website programs are written, they do not judge the legitimacy of the user input data, so that the application program has security risks. Users can submit a database query code (usually in the browser address bar, accessed through the normal www port), according to the results returned by the program, get some data they want to know, this is the so-called SQL Injection, that is, SQL injection.

How to prevent SQL injection

SQL injection modifies the website database through web pages. It can add users with administrator privileges directly to the database, thus finally obtaining system administrator privileges. Hackers can use the administrator rights to obtain files on the website or add Trojans and various malicious programs on the web page, which brings great harm to the website and netizens who visit the site.

There is a wonderful way to defend against SQL injection.

Step 1: many beginners download the SQL universal anti-injection system program from the Internet, which is used in the header of the page that needs to prevent injection to prevent others from conducting manual injection testing. However, if you use the SQL injection analyzer, you can easily skip the anti-injection system and automatically analyze its injection point. Then your administrator account and password will be analyzed in just a few minutes.

The second step: for the prevention of injection analyzer, the author found a simple and effective prevention method through experiments. First of all, we need to know how the SQL injection analyzer works. In the course of operation, it is found that the software is not aimed at the "admin" administrator account, but for permissions (such as flag=1). In this way, no matter how your administrator account changes, you can't escape the test.

Step 3: since we can not escape the test, then we will make two accounts, one is an ordinary administrator account, and the other is to prevent injection. Why do you say so? The author thinks that if you find an account with the greatest authority to create an illusion and attract the detection of the software, and the content of this account is more than a thousand Chinese characters, it will force the software to enter a full load state or even crash when analyzing the account. Let's modify the database next.

How to prevent SQL injection

1. Make changes to the table structure. Modify the data type of the administrator's account field, change the text type to the maximum field 255 (in fact, that's enough, if you want to make it bigger, you can choose memo type), and the password field is also set.

two。 Make changes to the table. The account with administrator permission is placed in ID1 and a large number of Chinese characters (preferably more than 100 words) are entered.

3. Put the real administrator password anywhere after ID2 (for example, on ID549).

We have completed the modification of the database through the above three steps.

Is the revision over at this time? In fact, it is not, to understand that you do the ID1 account is actually a real authorized account, now the computer processing speed is so fast, if you encounter a must calculate it out of the software, this is not safe. I think at this time most people have figured out a way, yes, as long as the administrator login to the page file to write character restrictions on the line! Even if the other party uses this account password with thousands of characters, it will be blocked, while the real password can be unrestricted.

The above is all the contents of the article "how to prevent SQL injection". Thank you for reading! Hope to share the content to help you, more related knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.