This article analyzes the knowledge points related to SQL injection in detail through the comparison of SQL and MYSQL, as well as the principles of SQL injection and how to prevent SQL injection. I hope it can help some people in need.
1. What is sql injection?
Sql injection is an attack technique that adds sql code to the input parameters and passes it to the Sql server for parsing and execution
2. How did it happen?
Web developers cannot guarantee that all input has been filtered
The attacker uses the input data sent to the Sql server to construct executable Sql code
The database is not Make corresponding security configuration
3. How to find SQL vulnerabilities?
Identify all input points in the web application
Understand which types of requests trigger exceptions? (Special characters" or ')
Detect exceptions in server responses
4. How to perform a SQL injection attack?
Number injection:
Select * from tablename where id=1 or 1=1;
String injection:
Mysql’s comment feature:
# and -- are commented out. No matter what password is entered, the query will be correct. Please click here to enter the image description
5. How to prevent sql injection?
##Strictly check the input format: is_numeric(var), tp5's validate verification, string injection uses regular expression to see if it is between [A-Za-z]Escape: addslashes(str), mysqli_escape_string() function for escaping6. MySQLi’s precompilation mechanism
##Related recommendations:
sql injection Website methodSharing of PHP’s simple and efficient method of preventing sql injectionExplanation of PHP’s method of preventing sql injectionThe above is the detailed content of Learn more about SQL injection and prevention. For more information, please follow other related articles on the PHP Chinese website!
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
