What is SQL injection?
Many web site programs in the writing, the user does not have to judge the legality of input data, so that the application has security problems. Users can submit a database query code (usually in the browser address bar, through the normal WWW port access), according to the results returned by the program to obtain some of the data, which is called SQL injection, that is, SQL injection.
SQL injection modifies the Web site database through a Web page. It is able to add users with administrator privileges directly to the database, thereby ultimately gaining system administrator privileges. Hackers can use the access to the administrator's access to the Web site files or add a Trojan horse and a variety of malicious programs on the Web site and access to the site's users have caused great harm.
How to defend against SQL injection
The first step: many beginners download the SQL Universal Anti-injection system from the Internet program, in the need to prevent injection of the head of the page to protect others from manual injection test.
However, if you pass the SQL Injection Analyzer, you can easily skip the anti-injection system and automatically analyze its injection point. Then it only takes a few minutes for your administrator account and password to be parsed.
The second step: for the injection analyzer to prevent, the author through experiments, found a simple and effective method of prevention. First we need to know how the SQL Injection Analyzer works. In the process, the discovery software is not directed to the "admin" Administrator account, but directed to the authority (such as flag=1) to go. This way, no matter how your administrator account changes can not escape detection.
The third step: since can not escape detection, then we do two accounts, one is the ordinary administrator account, one is to prevent injection of the account number, why so say? I think, if you find a maximum number of permissions to create an illusion, to attract software detection, and the account content is greater than thousands of characters in Chinese characters, it will force the software to analyze the account when entering the full load state or even resource depletion and panic. Let's revise the database below.
1. Modify the structure of the table. The Administrator's Account field data type changes, text type to the Maximum field 255 (in fact, enough, if you want to do a larger point, you can choose a note type), the field of the password is also set.
2. Modify the table. Set an account with administrator privileges in ID1 and enter a large number of Chinese characters (preferably greater than 100 characters).
3. Place the real admin password in any position after ID2 (for example, on ID549).
We have completed the modification of the database through the three steps above.
Is this the end of the modification? In fact, to understand that you do ID1 account is really a permission account, and now the computer processing speed so fast, if you meet the last must be counted out software, this is not safe. I think most people have come up with a way, yes, just write the character limit in the paging file where the administrator logs in. Even if the other person uses this thousands of characters of the account password will be blocked, and the real password can be unrestricted.
