So-called SQL injection attacks, is the attacker inserted the SQL commands into a Web form input field or page requests a query string, cheat server performs malicious SQL commands, such as: the attacker in the user name AND password input box input "' or '1'='1" AND so on, the contents of the resulting SQL commands can become: SELECT * from the Users WHERE the login=' or '1'='1' AND password='or' 1 '=' 1 ', then, is not really verify user identity, so system mistakenly authorization for the attacker,
As for how to prevent SQL injection attacks?
As long as in the use of the contents of the form input SQL command structure, before all the input filter is ok, filtering the input can be done by a variety of ways,
(1) for dynamic SQL query, use the following techniques:
First: to replace single quotes, namely all alone single quotation marks into two single quotes, prevent the attacker to modify the meaning of SQL commands,
The second: delete all the hyphen in user input,
Third: to used to execute the query database account, to limit its authority,
Use stored procedures to perform all of the query,
(3) limit the form or the length of the query string input,
(4) check the legitimacy of the user input and be sure to input the content contains only legitimate data,
5] the user login name and password stored encrypted data, such as
[6] check the number of records to extract data query returned,

CodePudding user response:

The practice of string concatenation is take temporary solution not effect a permanent cure

CodePudding user response:

A parameterized query, preventing SQL injection

CodePudding user response:

Do not use the joining together of SQL, basically can hedge the SQL injection of 99%,