Web Attack and Defense-SQL injection attacks
The root cause of SQL injection attacks is SQL specification vulnerabilities. However, due to the long-term existence and use of the specification, it is almost impossible to modify the specification, so that the developer can only avoid attacks, although SQL injection is very serious before, it is relatively well controlled now. Here it is just a learning content.
The test procedure is as follows:
1: Build a PHP and mysql development environment. For details, refer to my other blog to customize the PHP development environment.
2: Add databases, tables, and table content.
3: Test
Universal password, universal user name
Digital Injection
The test is as follows:
Password: password 'or 1 = '1(You can enter any password. Note: If you paste the password here, you may need to modify the password)
Universal User name: xx 'Union select * from testuser/* (MySQL test does not solve this problem)
Number injection is the same as user name injection. Only numbers are submitted.
How can we prevent SQL injection?
1. Modify the server configuration: Modify magic_quotes_gpc to on (this setting is not available in php5.3 or later versions)
2: You can use more rigorous verification methods to modify the code layer;
3: Use pdo for pre-compilation.