Determine and prevent SQL injection

SQL injection is the most commonly used attack method of hackers, its principle is to use the database to the special identifier of the resolution forcibly from the page into the background. Change the structure of SQL statements, reach extended permissions, create high-level users, force modification of user data, and so on.
How do you know if you have been injected into SQL?
Through the principle of SQL injection we know that SQL injection can be passed through the page data, the background should not believe that any data passed in from the background , especially special integer parameters and special character Parameters!
preventing SQL injection is actually simple
1. Check the variable data type and format
As long as a fixed-format variable, before the SQL statement execution, you should strictly follow the fixed format check, to ensure that the variable is our expected format!
2. Filter Special Symbols
For variables that cannot be determined in a fixed format, be sure to make a special symbol or transfer processing, and one side of the star is ambiguous when it comes to SQL.
When we upload images,

enctype=\”multipart/form-data\”enctype=”multipart/form-data”

• 1
• 2

• 1
• 2

Without a "/", the Enctype= "Multipart/form-data" in the form means that the MIME encoding of the form is set. By default, this encoding format is application/x-www-form-urlencoded, cannot be used for file upload, only use the Multipart/form-data to complete the transfer of file data, do the following.
3. Binding variables, using precompiled statements
In fact, binding variables using precompiled statements are the best way to prevent SQL injection, and the semantics of using precompiled SQL statements will not change. In the SQL statement, the variable is with a question mark? That the hacker can not change the format of the SQL statement, even if the ability of the big, fundamentally eliminate the occurrence of SQL injection attack.
4. Database Information Encryption Security
Sometimes the database information leaks, we should be the database password and other information encryption (MD5, etc.), so that information leakage, loss can also be controlled within a certain range.

when using JSP, pay attention to
1. Do not arbitrarily open a production environment summary webserver error display.
2. Never trust the variable input from the user, there are fixed-format variables must strictly check the corresponding format, no fixed-format variables need to quote special characters such as the necessary filtering escape.
3. SQL statements using precompiled binding variables
4. Do a good job of database account Rights Management
5. Strict encryption process user confidential information

A good program must pay attention to safety, otherwise it is only suitable for practiced hand.

Determine and prevent SQL injection