可注入的sql: $id=$_REQUEST['id']; $name=$_REQUEST['name']; select * from members where id=$id; select * from members where id='".$id."'"; select * from members where name='".$name."'"; 不可注入: select * from members where id='".intval($id)."'"; select * from members where name=".sql_escape($name);
Filter user input, limit type and size, and parameterize sql statements. In addition, parameter vulnerabilities of webservices should also be considered.
Using JavaEE's PreparedStatement interface can easily prevent SQL injection. The drivers of various DataBase manufacturers have implemented it well. The Druid connection pool also helps you filter SQL to prevent injection. Jenkins can be used with some plug-ins, such as findBugs, to find possible SQL injection behaviors.
1/Front-end input uses jsoup filtering. jsoup can also customize various filtering rules. 2/Use an ORM framework such as ibatis to bind parameters for SQL execution.
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
Generally parameterization or stored procedures are ok
可注入的sql:
$id=$_REQUEST['id'];
$name=$_REQUEST['name'];
select * from members where id=$id;
select * from members where id='".$id."'";
select * from members where name='".$name."'";
不可注入:
select * from members where id='".intval($id)."'";
select * from members where name=".sql_escape($name);
Filter user input, limit type and size, and parameterize sql statements. In addition, parameter vulnerabilities of webservices should also be considered.
Using JavaEE's PreparedStatement interface can easily prevent SQL injection. The drivers of various DataBase manufacturers have implemented it well. The Druid connection pool also helps you filter SQL to prevent injection. Jenkins can be used with some plug-ins, such as findBugs, to find possible SQL injection behaviors.
1/Front-end input uses jsoup filtering. jsoup can also customize various filtering rules.
2/Use an ORM framework such as ibatis to bind parameters for SQL execution.