At the same time, a background injection in huashun causes the universal password to enter the background and leak large user information and solutions.

At the same time, a background injection in huashun causes the universal password to enter the background and leak large user information and solutions.

Background address:

http://basic.10jqka.com.cn/admin/index.php?op=csiReport&act=view

If there is injection in the background, we will not demonstrate it here. Use the universal password to directly go in:

Admin 'or '1' = '100

 

In IE 11, sometimes the compatibility is not very good, and they all go below ..
 

 

 

 

Solution:

Use the parameterized query interface or escape or filter the external parameters in the SQL statement at the code level:

For integers, check whether the variable meets the value of [0-9]. For other values, check the validity of the variable.

For strings, escape special characters in SQL statements (single quotes are converted into two single quotes, and double quotes are converted into two double quotes ). For example, PHP has similar escape functions: mysql_escape_string and mysql_real_escape_string.

[PHP repair example]

$id=$_GET['id'];   $conn = mysql_connect("localhost","root","") or die ("wrong!");   $sel=mysql_select_db("mydb",$conn);   $sql="select * from user where id = :id";   $stmt = $conn->prepare($sql);     $stmt->execute(array(':id'=>$id));     ?>