This gives unscrupulous students the opportunity to input some strange query strings and splice them into specific SQL statements to inject them. Not only can important information of the database be obtained, but the entire table can be deleted even if the permissions are not set. Therefore, the SQL injection vulnerability is quite serious. I found that when I was just learning to write a website, I also rely on splicing SQL statements to eat ......
Example
To better learn and understand the SQL injection method, we made an example webpage with the following interface:
Click to log on to Code As shown in the following figure, we use the concatenated SQL statement for line 1:
Copy code The Code is as follows: Private void login ()
{
String uname = tbname. text;
String Pwd = tbpassword. text;
String sqlcmd = "select * from [users] Where username = '" + uname + "'";
String sqlcmdrep = sqlcmd. Replace ("users", "XXX"). Replace ("username", "XXX ");
Lbsql. Text = sqlcmdrep;
Try
{
Datatable dt = datasqlserver. getdatatable (sqlcmd );
Gvresult. datasource = DT;
Gvresult. databind ();
If (Dt. Rows. Count = 1 & Pwd = DT. Rows [0] ["password"]. tostring ())
{
Lbres. Text = DT. Rows [0] ["username"] + "Login success! ";
}
Else if (Dt. Rows. Count = 0)
{
Lbres. Text = uname + "not exist! ";
}
Else
{
Lbres. Text = "Login fail! ";
}
}
Catch (exception ex)
{
Lbres. Text = "error:" + ex. message;
}
}