What is SQL injection?
Many web-site programs do not judge the legality of user input data when they are written, so that the application has a security risk. Users can submit a database query code (usually in the browser address bar, through the normal WWW port access), according to the results returned by the program, to obtain some of the data you want to know, this is called SQL injection, that is, SQL injection.
SQL injection modifies the site database through a Web page. It can add users with administrator privileges directly to the database, resulting in system administrator privileges. Hackers can take advantage of access to the administrator access to any file on the Web site or on the Web page with a Trojan horse and a variety of malicious programs, the site and access to the site's users have brought great harm.
Defensive SQL injection has a magic bullet
The first step: many novice download the SQL Universal Anti-injection System program, in the need to prevent injection of the page head to protect others from manual injection testing.
However, it is easy to skip the anti-injection system and automatically analyze its injection points if you are using SQL Injection Analyzer. Then it only takes a few minutes for your administrator account and password to be analyzed.
The second step: for the prevention of Injection analyzer, the author through the experiment, found a simple and effective way to prevent. First, we need to know how SQL Injection Analyzer works. During the operation, the discovery software is not directed to the "admin" Administrator account, but to the authority (such as flag=1) to go. This way, no matter how your administrator account changes, you will not be able to evade detection.
The third step: since the detection can not escape, then we do two accounts, one is a normal administrator account, one is to prevent the injection of accounts, why so say? I think, if you find a permission to create the largest account of the false, attract software detection, and the content of this account is greater than the Chinese characters in more than thousand characters, it will force the software to analyze this account when the full load state or even the depletion of resources and the crash. Now let's change the database.
1. Modify the table structure. Change the data type of the administrator's account field to the Maximum field 255 (actually enough, if you want to make it bigger, you can choose the memo type), the password field is also set.
2. Make changes to the table. Set administrator privileges on the account ID1, and enter a large number of Chinese characters (preferably greater than 100 words).
3. Place the real administrator password in any location after ID2 (for example, on ID549).
We completed the modification of the database through the three steps above.
Is this the end of the modification? In fact, to understand that you do the ID1 account is actually the right account, now the computer processing speed so fast, if the last time must be calculated out of the software, which is not safe. I think at this point most people have figured out a way, yes, just write the character limit in the page file where the administrator is logged in! Even if the other person uses the thousand-character account password will be blocked, and the real password can be unlimited.
http://www.bkjia.com/PHPjc/631099.html www.bkjia.com true http://www.bkjia.com/PHPjc/631099.html techarticle What is SQL injection? Many web-site programs do not judge the legality of user input data when they are written, so that the application has a security risk. User can submit a database query ...
