The first step: many beginners download the SQL Universal Anti-injection system from the Internet program, in the need to prevent injection of the head of the page to protect others from manual injection test. However, if you pass the SQL Injection Analyzer, you can easily skip the anti-injection system and automatically analyze its injection point. Then it only takes a few minutes for your administrator account and password to be parsed.
The second step: for the injection analyzer to prevent, the author through experiments, found a simple and effective method of prevention. First we need to know how the SQL Injection Analyzer works. In the process, the discovery software is not directed to the "admin" Administrator account, but directed to the authority (such as flag=1) to go. This way, no matter how your administrator account changes can not escape detection.
The third step: since can not escape detection, then we do two accounts, one is the ordinary administrator account, one is to prevent injection of the account number, why so say? I think, if you find a maximum number of permissions to create an illusion, to attract software detection, and the account content is greater than thousands of characters in Chinese characters, it will force the software to analyze the account when entering the full load state or even resource depletion and panic. Let's revise the database below.
1. Modify the structure of the table. The Administrator's Account field data type changes, text type to the Maximum field 255 (in fact, enough, if you want to do a larger point, you can choose a note type), the field of the password is also set.
2. Modify the table. Set an account with administrator privileges in ID1 and enter a large number of Chinese characters (preferably greater than 100 characters).
3. Place the real admin password in any position after ID2 (for example, on ID549).
We have completed the modification of the database through the three steps above.
Is this the end of the modification? In fact, to understand that you do ID1 account is really a permission account, and now the computer processing speed so fast, if you meet the last must be counted out software, this is not safe. I think most people have come up with a way, yes, just write the character limit in the paging file where the administrator logs in. Even if the other person uses this thousands of characters of the account password will be blocked, and the real password can be unrestricted.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.
