Hackers through SQL injection attacks can get access to the site database, then they can get all the data in the site database, malicious hackers can use SQL injection function to tamper with the data in the database and even destroy the data in the database. As a web developer you hate this kind of hacking, and of course it's important to understand how SQL injects this functionality and learn how to protect your Web database with code. Today, take the PHP and MySQL database as an example to share what I know about SQL injection attacks and some simple precautions and tips on how to avoid SQL injection attacks.
What is SQL injection (SQL injection)?
In a nutshell, SQL injection is the use of code vulnerabilities to obtain data from a Web site or an application's SQL database in the background, allowing access to the database. For example, hackers can take advantage of the vulnerability of the site code, using SQL injection to obtain a company's Web site back-end database of all the data information. After getting the database administrator login user name and password, hackers can freely modify the contents of the database or even delete the database. SQL injection can also be used to verify the security of a Web site or application. There are many ways to inject SQL, but this article will only discuss the most basic principles, and we'll take PHP and MySQL for example. The example in this article is simple, and if you use other languages it will not be difficult to understand, focus on SQL commands.
A simple SQL injection attack case
If we have a company website, we store all the important information such as customer data in the background database of the website. If there is a command in the code of the website login page to read the user information.
Copy CodeThe code is as follows:
$q = "Select ' id ' from ' users ' WHERE ' username ' = '". $_get[' username ']. " ' and ' password ' = ' ". $_get[' password ']." ' ";
?>
Now that a hacker wants to attack your database, he will try to enter the following code into the user name input box on this login page:
' ; SHOW TABLES;
Click the login button, this page will show all the tables in the database. If he now uses the following line of command:
'; DROP table [table name];
So he's got a watch removed!
Of course, this is a very simple example, the actual SQL injection method is much more complex than this, hackers are willing to spend a lot of time to constantly try to attack your code. Some program software can also automatically try to keep trying SQL injection attacks. After understanding the attack principle of SQL injection, let's look at how to prevent SQL injection attacks.
Prevent SQL injection-using the mysql_real_escape_string () function
In the code of the database operation, the function mysql_real_escape_string () can filter out special characters in the code, such as quotation marks. The following example:
Copy CodeThe code is as follows:
$q = "Select ' id ' from ' users ' WHERE ' username ' = '". Mysql_real_escape_string ($_get[' username ']). " ' and ' password ' = ' ". Mysql_real_escape_string ($_get[' password '])." ' ";
?>
Prevent SQL injection-using the mysql_query () function
mysql_query () in particular, it will only execute the first of the SQL code, and the latter will not be executed. Recall in the first example, the hacker through the code to execute several SQL commands in the background, showing the names of all the tables. So the mysql_query () function can take the role of further protection. We further evolved the code just now to get the following code:
Copy CodeThe code is as follows:
Connection
$database = mysql_connect ("localhost", "username", "password");
DB selection
mysql_select_db ("Database", $database);
$q = mysql_query ("Select ' id ' from ' users ' WHERE ' username ' = '". Mysql_real_escape_string ($_get[' username ']). " ' and ' password ' = ' ". Mysql_real_escape_string ($_get[' password '])." ' ", $database);
?>
In addition, we can determine the length of the input value in PHP code, or use a function to check the input value. Therefore, in accepting the user input value of the place must be good to filter and check the input content. Of course, learning and understanding the latest SQL injection methods is also very important, so as to achieve a purposeful defense. If you are using a platform-style website system such as WordPress, be careful to make an official patch or upgrade to a new version in time. If there is a wrong place or do not understand, please leave a comment in the comments section.
http://www.bkjia.com/PHPjc/325082.html www.bkjia.com true http://www.bkjia.com/PHPjc/325082.html techarticle hackers through the SQL injection attack can get access to the site database, then they can get all the data in the database, malicious hackers can be tampered with the SQL injection function ...
