Three-step blocking SQL Injection Vulnerability _php Tutorial

What is SQL injection?
Many web-site programs do not judge the legality of user input data when they are written, so that the application has a security risk. Users can submit a database query code (usually in the browser address bar, through the normal WWW port access), according to the results returned by the program, to obtain some of the data you want to know, this is called SQL injection, that is, SQL injection.
Website Nightmare--sql Injection
SQL injection modifies the site database through a Web page. It can add users with administrator privileges directly to the database, resulting in system administrator privileges. Hackers can take advantage of access to the administrator access to any file on the Web site or on the Web page with a Trojan horse and a variety of malicious programs, the site and access to the site's users have brought great harm.
Defensive SQL injection has a magic bullet
The first step: many novice download the SQL Universal Anti-injection System program, in the need to prevent injection of the page head to protect others from manual injection test (1).

Figure 1
However, with SQL Injection Analyzer it is easy to skip the anti-injection system and automatically analyze its injection point (Figure 2). Then it only takes a few minutes for your administrator account and password to be analyzed (Figure 3).

Figure 2

Figure 3

The second step: for the prevention of Injection analyzer, the author through the experiment, found a simple and effective way to prevent. First, we need to know how SQL Injection Analyzer works. During the operation, the discovery software is not directed to the "admin" Administrator account, but to the authority (such as flag=1) to go. This way, no matter how your administrator account changes, you will not be able to evade detection.

The third step: since the detection can not escape, then we do two accounts, one is a normal administrator account, one is to prevent the injection of accounts, why so say? I think, if you find a permission to create the largest account of the false, attract software detection, and the content of this account is greater than the Chinese characters in more than thousand characters, it will force the software to analyze this account when the full load state or even the depletion of resources and the crash. Now let's change the database.

1. Modify the table structure. Change the data type of the administrator's account field to the Maximum field 255 (actually enough, if you want to make it bigger, you can choose the memo type), the password field is also set.

2. Make changes to the table. Set administrator privileges on the account ID1, and enter a large number of Chinese characters (preferably greater than 100 words).

http://www.bkjia.com/PHPjc/631114.html www.bkjia.com true http://www.bkjia.com/PHPjc/631114.html techarticle What is SQL injection? Many web-site programs do not judge the legality of user input data when they are written, so that the application has a security risk. User can submit a database query ...

