2.2 Basic SQL injection and principles

SQL injection is produced by data submitted by users. How can this problem be solved? What data have hackers submitted? What will the hacker return when submitting data? This is what we will discuss below.

2.2.1 compilation of programs with Injection Vulnerabilities

Since SQL can be injected into different databases, the principle of SQL injection vulnerability is the same no matter what database or script code, therefore, we compile our vulnerability programs with the simplest structure such as asp + access database. Of course, it will certainly use asp's SQL query programming and Connection database programming, as well as the creation of access database table columns.

2.2.1.1 create database files

First, describe the effect of this program writing. We need to use asp to query the administrator ID and Account Name of the database administrator table. Then we assume that the Administrator's name is admin, and the column name is id and username.

The structure is shown in.

In chapter 1, we have already talked about Microsoft's ACCESS installation, so now we can directly open the asp + access Environment snapshot of the Virtual Machine for testing.

Click Start-all programs-Microsoft Office Access 2003 to open the ACCESS window. Click file-new, and click "Empty Database" in the new file on the right to create a database file. Save the file to the web directory and change the file name to test. mdb.

After the database is created, create the database tables and columns. Click "create table with designer" to create tables and columns. Write the id in the field name, and select automatic number for the data type. The next field name is username and the data type is text type. Close this window and you will see whether to save the table design. Select "yes" here. Then a "save as" dialog box will pop up. Here we fill in the designed admin. The basic structure of a database has been established.

Although the table and column name have been created, we have not added any data. Next we will continue to add the two data we designed above. Double-click to open the admin table and directly enter the username table as the previously designed content, and the id will be automatically added.

This database has been created.