Some questions about SQL injection. URL injection.

Some questions about SQL injection ... URL injection ....
Use some SQL injection tools to detect your own background ... Discovery display can inject. Want to ask for advice on how to prevent injection

All illegal characters have been filtered out in the form's detection .....

Now I don't know how to filter out illegal characters from the URL ...

Want to find out the URL injection principle and anti-injection method ...

Some of these tools don't really understand.

Xxxx.com/adminlogin.php/**/and/**/1=1
xxxx.com/adminlogin.php/**/and/**/1=1/**/union/**/select/**/1,2,3,4,5,6,7,8,9/*

How exactly did you submit the query from the address?

------Solution--------------------
Theoretically, as long as the incoming data is applied directly to the SQL instruction without processing, there is the possibility of SQL injection

How to evaluate the damage caused by SQL injection, it's a little more fastidious
1. PHP has taken steps to prevent SQL injection: Only one SQL command can be executed at a time. This broke the path of catastrophic damage by refactoring SQL instructions. (Additional delete, drop)
2. One exception is Mysqli_multi_query, which allows multiple instructions to be executed at once. The risks are borne by the users themselves.
3, only change the query conditions (constant set) does not constitute a threat, at most, the intruder has the rights of the webmaster, this can be resolved by first inserting a special name of the administrator. Exit the program whenever the user name is checked
4, or see the data should not appear in this column, but this does not affect the normal browsing of other users

In short, big can not Tanhusebian

