Shulou(Shulou.com)06/02 Report--

This article focuses on "what are the common aggregate functions of MySql and the solutions to SQL injection attacks?" interested friends may wish to take a look. The method introduced in this paper is simple, fast and practical. Let the editor take you to learn "what are the common aggregate functions of MySql and the solutions to SQL injection attacks"?

1. What are the common aggregate functions in MySql:

Count (), sum (), max (), min (), avg (), group_concat ()

Mysql also has common functions:

(1) numerical function:

Abs () = "(absolute value abs (- 10.9) = 10)

Pi () / / get pi

Rand () / / Random number

...

(2) time and date function:

Now (), Date (), Time ().

(3) string function:

TRIM (string) / / remove the spaces at the front and rear ends

LENGTH (string) / / string length, byte

...

(4) flow function

(5) other common functions:

Md5 (), Default ().

2. Solutions to SQL injection attacks:

My own understanding is that sql injection refers to generating and running sql statements with special meaning through certain database syntax methods combined with the characteristics of the code used, which is called sql injection.

The general solution is:

(1) filter the input from the database (that is, do not trust any data entered by the user)

(2) for java, use PreparedStatement

Reference links: https://blog.csdn.net/czh600/article/details/88202971, https://www.cnblogs.com/zhidongjian/p/10413635.html

(3) for php, you can change the configuration information of php.ini (addslashes, mysql_real_escape_string, mysql_escape_string), and you can use the function to filter the data of get or post separately. Ordinary htmlspecialchars is not allowed. It only aims at converting predefined characters "(greater than) into HTML entities, and can not completely prevent sql injection attacks. PDO prepare can solve most attacks. But it can not prevent injection 100%, of course, this is my own understanding.

Reference links: https://www.cnblogs.com/liliuguang/p/10429163.html, https://www.v2ex.com/amp/t/362625

3.xss cross-site scripting attacks:

There are three common XSS attacks: reflective XSS attack, DOM-based XXS attack and storage XSS attack.

1. Reflexive XSS attacks reflective XSS generally an attacker uses specific techniques (such as e-mail) to induce users to visit a URL containing malicious code. When the victim clicks on these specially designed links, the malicious code will be executed directly in the browser on the victim's host. Reflective XSS usually appears in the search bar of the website, user login and other places, often used to steal the client Cookies or phishing fraud.

two。 Storage XSS attacks, also known as persistent XSS, mainly submit XSS code and store it on the server side (database, memory, file system, etc.). You don't have to submit XSS code the next time you request the target page. When the target user visits the page to obtain data, the XSS code is loaded from the server parsing and returned to the browser to perform normal HTML and JS parsing, and a XSS attack occurs. Storage XSS generally appears in interactive places such as website messages, comments, blog logs, etc., and malicious scripts are stored in the client or server database.

3. URLEncode the untrusted value before outputting the URL parameter, and be sure to check the format for getting the value from the URL parameter (for example, URL if you need it, to determine whether it meets the URL format).

4. Do not use Eval to parse and run uncertain data or code, use the JSON.parse () method for JSON parsing.

5. The back-end interface should also have the problem of key character filtering.

6. Input characters are filtered, controlled at the source, and some illegal inputs are filtered out, so as to ensure security. For example, remove the DOM attributes submitted by the user, such as onerror, remove the Style node uploaded by the user, and so on.

7. The output parameter is encoded, and if the source is not well controlled, it will have to be remedied later: like some common symbols, such as transcoding them at the time of output, the browser will not interpret and execute the tag. At the same time, it doesn't affect the display. For example, to do coding such as "" instead.

8. The length of input parameters is limited. Through the above cases, it is not difficult to find that xss attacks often need longer strings to achieve, so some expected inputs can be defended by limiting the length and forcing truncation.

At this point, I believe you have a deeper understanding of "what are the common aggregate functions in MySql and the solutions to SQL injection attacks?" you might as well do it in practice. Here is the website, more related content can enter the relevant channels to inquire, follow us, continue to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.