First, the principle of SQL injection attack
The attacker injects malicious SQL code into the HTTP request and executes it on the server.
For example, user login, enter the user name Camille, password ' or ' 1 ' = ' 1, if you use the method of parameter construction, it will appear
Select * from User where = ' Camille ' and = "' or ' 1 ' = ' 1 '
Regardless of the user name and password, the list of users queried is not empty, so you can look at the information of other users.
Second, the defense of SQL injection attack
1, the Client
- Limit the length of string input;
- Validity test.
// filter URLs for illegal SQL characters, or filter text boxes for illegal characters. var surl = location.search.toLowerCase (); var squery = surl.substring (surl.indexof ("=") +1); Reg=/select|update|delete|truncate|join|union| Exec|insert|drop|count| ' | ' |;| >|<|%/ i; if (Reg.test (squery)) { alert ("Do not enter illegal characters") ; = Surl.replace (Squery, "");}
2. Service side
- Use Precompiled Preparestatement (Java);
- Validation to prevent attackers from bypassing client requests;
- Never use dynamically assembled SQL, you can use parameterized SQL or directly use stored procedures for data query access;
- Filter the special characters in the parameters that SQL requires, such as single quotes, double quotes.
Web front-end security for SQL injection attacks