SQL injection attacks refer to exploiting design vulnerabilities to run Sql commands on the target server and conduct other attacks. Failure to verify the data entered by the user when dynamically generating Sql commands is the main reason why Sql injection attacks succeed. For example:
If your query statement is select * from admin where username='"&user&"' and password='"&pwd&"'"
Then, if my username is: 1' or '1' ='1
Then, your query statement will become:
select * from admin where username='1 or '1'='1' and password='"&pwd&"'"
Your query statement has passed, and you can enter your management interface.
Therefore, user input needs to be checked when taking precautions. Convert or filter some special characters, such as single quotes, double quotes, semicolons, commas, colons, connection numbers, etc.
The special characters and strings that need to be filtered are:
net user
xp_cmdshell
/add
exec master.dbo.xp_cmdshell
net localgroup administrators
select
count
Asc
char
mid
'
:
"
insert
delete from
drop table
update
truncate
from
%
The following are two prevention codes I wrote about solving injection attacks for your reference!
The js version of the code to prevent SQL injection attacks~:
[CODE START]
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
