SQL Injection details-1

Source: Internet
Author: User
With the development of B/S application development, more and more programmers are writing applications using this mode. However, due to the low entry threshold in this industry, the programmer's level and experience are also uneven. A considerable number of programmers did not judge the legitimacy of user input data when writing code, application security risks. You can submit a piece of database query code and obtain the desired data based on the results returned by the program. This is called SQL injection, that is, SQL injection.
SQL injection is accessed from the normal WWW port, and it seems to be no different from the general web page access, so the current Municipal firewall does not alert SQL injection, if the Administrator does not check IIS logs, it may be invisible for a long time. However, the SQL injection method is quite flexible, and many unexpected situations may occur during the injection process. It is the fundamental difference between a master and a cainiao to analyze the specific situation and construct clever SQL statements to obtain the desired data. According to national conditions, ASP + access or sqlserver accounts for more than 70% of Chinese websites, PHP + mysq accounts for L20 %, and other websites are less than 10%.
In this article, we will explain the methods and skills of ASP injection from entry-level, advanced to advanced. The PHP injection article was written by another Nb-consortium friend Zwell, it is expected to be useful to security workers and programmers. Do not skip this article if you are familiar with ASP injection, because some people still have misunderstandings about the basic injection judgment methods. Are you ready?
Lets go...
If you have never tried SQL injection before, remove the check box before ie menu> Tools> Internet Options> advanced => show friendly HTTP Error messages. Otherwise, no matter what error is returned by the server, ie Only displays as an HTTP 500 server error and cannot receive more prompts. Section 1. SQL Injection principles we start from www.19cn.com ). On the home page of the website, named "ie cannot open new window of a variety of solutions" link, address: http://www.19cn.com/showdetail.asp? Id = 49. When a single quotation mark is added to this address, the server returns the following error message: Microsoft Jet Database Engine error 80040e14 string syntax error in the query expression id = 49. /Showdetail. asp, row 8 shows the following points from the error prompt:
1. The website uses an Access database and connects to the database through the jet engine, instead of using ODBC.
2. The program does not determine whether the data submitted by the client meets the program requirements.
3. The table queried by this SQL statement has a field named ID.
From the above example, we can know that the principle of SQL injection is to submit special code from the client to collect information about programs and servers and obtain the information you think. # Database Technology

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.