Do not trust the user's input in the login, you need to process the user's inputSQL injection:' or 1=1 #Several functions to prevent SQL injection:Addslashes ($string): Use a backslash to refer to a special character in a string ' "\$username
PHP MySQL functionsDefinition and usageThe mysql_real_escape_string () function escapes special characters in strings used in SQL statements.The following characters are affected:
\x00
\ n
\ r
\
‘
"
\x1a
If
This afternoon colleagues asked me a more basic question, when splicing SQL statements, if encountered like the situation what to do.My original writing is a simple concatenation of strings, and later colleagues asked me what to do if I encountered
1. Installing PDOThe database abstraction layer pdo-php The data Object Extension class library defines a lightweight, consistent interface for the PHP Access database, which provides a data access abstraction layer that uses specific PDO driver
Discuz is a set of common PHP community forum software Systems, in the domestic possession of a large number of user groups, is to do the forum's preferred system, in the early days of the discuz to do the forum system, the deepest feeling should be
SQL injectionExample: script logic$sql = "SELECT * FROM user WHERE UserID = $_get[userid]";Case 1: SELECT * from T WHERE a like '%xxx% ' or (IF (Now=sysdate (), SLEEP (5), 1)) or B like ' 1=1 ';Case 2:select * from T WHERE a > 0 and B in (497 and
SQL (Structured Query Language) is a structured query language. SQL injection, which is the insertion of SQL commands into the query string of the Web form's input domain or page request parameters, causes the database server to execute a malicious
18First, the last Class reviewSelect Concat_ws (":", Name,age,sex,post) as info from EMP; # egon:male:18Second, sub-query (a problem solving a problem)Enclose a query statement in parentheses, as a condition of another query statement, called a
This can be written in a console application when an attack is injected in an add-in program:Please enter the number: U006Please enter user name: InvinciblePlease enter your password: 1234Please enter a nickname: hehePlease enter gender: TruePlease
Dim Fy_url,fy_a,fy_x,fy_cs (), FY_CL,FY_TS,FY_ZX'---Define the partial head------FY_CL = 1 ' processing: 1 = hint information, 2 = Turn to page, 3 = prompt before turningFY_ZX = "index." The page that the Asp "' turned to when it went
Method 1:replace Filter CharactersWorkaround: Find the Pass=request. Form ("Pass")Modified to: Username=replace (Request. Form ("name"), "'", "" ")Pass=replace (Request. Form ("Pass"), "'", "" "The syntax is masking ' and ' characters to achieve the
First configure in Web. xml
antiSqlInjectioncom.usermanage.util.AntiSqlInjectionfilterantiSqlInjection/*2. Specific logic implementationPackage com.usermanage.util;Import java.io.IOException;Import java.util.Enumeration;Import
PHP to prevent SQL injection of filtering paging parameter instances, SQL paging
The example in this paper describes how PHP prevents filtering paging parameters in SQL injection. Share to everyone for your reference. The specific analysis is as
Php prevents SQL injection to filter paging parameter instances, and SQL Paging
This example describes how to prevent paging parameters from being filtered by SQL Injection in php. Share it with you for your reference. The specific analysis is as
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.