Cause:
Programmers use splicing SQL statement problems, such as: the "+" number splicing, then user input, the program may not be able to tell what is the data, what is the statement, resulting in injection.
Solution (tentative):
Parameterization is an important part of anti-SQL injection framework-level scenarios (but parameterization is not a good way to meet some common requirements in the development process, such as the comma-separated ID list problem, sorting tag issues, and so on)
1. Check the variable data type and format (as long as there are fixed-format variables, before the SQL statement execution, you should strictly follow the fixed format to check, to ensure that the variable is the format we expect)
2. Filter Special symbols
3. Binding variables, using precompiled statements
For more information, please refer to :https://www.zhihu.com/question/22953267
SQL injection problem?