parameterized queries prevent SQL injection vulnerabilities
Look at someone else's login register SQL statement There is no loophole can
Where name= ' admin ' or ' 1=1 ' and password= ' 123 ';
Can or ' 1=1 ' is a loophole
Http://jingyan.baidu.com/article/27fa7326f53ea746f9271f79.html
The way of defense in the past
There are three ways to deal with this vulnerability in the past:
L string Detection: Restricted content can only be used in English, numeric and other general characters, if the user input to check the special characters, directly rejected. However, the disadvantage is that there will inevitably be some content in the system contains special characters, this time can not refuse storage.
L string substitution: replace dangerous characters with other characters, the disadvantage is that there may be a lot of dangerous characters, the one by one enumeration replacement is rather troublesome, or there may be a slip through the cracks.
L Stored procedures: The parameters are passed to the stored procedure for processing, but not all databases support stored procedures. If the commands executed in the stored procedure are also made by stitching strings, there is still a vulnerability.
parameterized queries
In recent years, since the advent of parameterized queries, SQL injection vulnerabilities have become outdated
Prevent SQL injection vulnerabilities with parameterized queries