Backend Development
PHP Tutorial
Detailed explanation of effectively preventing SQL injection vulnerabilities_PHP tutorial
Detailed explanation of effectively preventing SQL injection vulnerabilities_PHP tutorial
1. If the dynamically constructed sql statement contains parameters, please do the following operations on the parameters
a. Replace '(single quote) with ''(two single quote)
b. Replace -- (comment character) with
c. When adding parameters to a statement, be sure to add quotation marks before and after, such as: 'select * from table where id='''+@id+'''' such addition
2. If the dynamically constructed SQL statement contains table parameters, do not add [] (square brackets) to the table, such as: 'select * from ['+@tab+']'
3. Avoid dynamic sql statements: especially the fields that obtain query, modification, and deletion conditions from the IE client are most likely to be injected. For example, the above-mentioned personid is obtained from the client. For the convenience of development, the fields obtained from the client are directly persongid is used as a condition of the sql statement, but there is no necessary check for personid, so it is best to use the preparedstatement class when executing sql statements during development.
4. Verify data: Using web page special effects on the client IE to verify the legality of user input data is actually not very effective. After obtaining the client data, the data must be strictly verified. Developers should not assume that the user only Legal data will be entered. Make sure to check for semicolons, quotes, brackets, sql keywords, etc. in your application. Regular expressions can be used to perform complex pattern matching, and good results can be achieved by using them.
The ××× website address book viewing program needs to pass a personid, and the personid can be passed through the url parameter. Since the address book viewing program obtains the personid directly without any data legality verification, and the personid is a string variable, the code to obtain the personid is as follows:
if (getparameter(req,"personid")!=null){
personid=getparameter(req,"personid").trim();
}else{
personid="";
}
The dynamic sql statements combined in this program are as follows:
personsql="select * from table name where userid="+long.tostring(userid)+" and addrcontactid="+personid;
Since the program does not check whether the personid is an integer, the attacker can assign a value to the personid and continue to run the subsequent program logic. If the attacker enters the following URL:
http://www.----------------------?personid=6414 or 2=2
The sql statement composed ofis as follows:
select * from table name where userid=1433620 and addrcontactid=6414 or 2=2
Prevention methods
SQL injection vulnerabilities can be said to be "a dike of thousands of miles, but collapses in an ant nest". This kind of vulnerability is extremely common on the Internet. It is usually caused by programmers not understanding injection, or program filtering is not strict, or a certain parameter is forgotten to check. . Here, I will give you a function that replaces the request function in the ASP tutorial. It can say no to all SQL injections. The function is as follows:
function saferequest(paraname,paratype)
'--- Incoming parameters ---
'paraname: parameter name - character type
'paratype: parameter type - numeric type (1 indicates that the above parameters are numbers, 0 indicates that the above parameters are characters)dim paravalue
paravalue=request(paraname)
if paratype=1 then
if not isnumeric(paravalue) then
response.write "Parameter" & paraname & "Must be numeric type!"
response.end
end if
else
paravalue=replace(paravalue,"'","''")
end if
saferequest=paravalue
end function
Application of the above function
For int type parameters, such as the id of an article, you can first determine whether it is an integer.
id =trim(request("id"))
if id<>"" then
if not isnumeric(id) then
Response.write"Please provide numeric parameters"
Response.end
end if
id = clng(id)
else
response.write"Please enter parameter id"
response.end
end if
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
What is the difference between HQL and SQL in Hibernate framework?
Apr 17, 2024 pm 02:57 PM
HQL and SQL are compared in the Hibernate framework: HQL (1. Object-oriented syntax, 2. Database-independent queries, 3. Type safety), while SQL directly operates the database (1. Database-independent standards, 2. Complex executable queries and data manipulation).
Convert VirtualBox fixed disk to dynamic disk and vice versa
Mar 25, 2024 am 09:36 AM
When creating a virtual machine, you will be asked to select a disk type, you can select fixed disk or dynamic disk. What if you choose fixed disks and later realize you need dynamic disks, or vice versa? Good! You can convert one to the other. In this post, we will see how to convert VirtualBox fixed disk to dynamic disk and vice versa. A dynamic disk is a virtual hard disk that initially has a small size and grows in size as you store data in the virtual machine. Dynamic disks are very efficient at saving storage space because they only take up as much host storage space as needed. However, as disk capacity expands, your computer's performance may be slightly affected. Fixed disks and dynamic disks are commonly used in virtual machines
Usage of division operation in Oracle SQL
Mar 10, 2024 pm 03:06 PM
"Usage of Division Operation in OracleSQL" In OracleSQL, division operation is one of the common mathematical operations. During data query and processing, division operations can help us calculate the ratio between fields or derive the logical relationship between specific values. This article will introduce the usage of division operation in OracleSQL and provide specific code examples. 1. Two ways of division operations in OracleSQL In OracleSQL, division operations can be performed in two different ways.
Comparison and differences of SQL syntax between Oracle and DB2
Mar 11, 2024 pm 12:09 PM
Oracle and DB2 are two commonly used relational database management systems, each of which has its own unique SQL syntax and characteristics. This article will compare and differ between the SQL syntax of Oracle and DB2, and provide specific code examples. Database connection In Oracle, use the following statement to connect to the database: CONNECTusername/password@database. In DB2, the statement to connect to the database is as follows: CONNECTTOdataba
Detailed explanation of the Set tag function in MyBatis dynamic SQL tags
Feb 26, 2024 pm 07:48 PM
Interpretation of MyBatis dynamic SQL tags: Detailed explanation of Set tag usage MyBatis is an excellent persistence layer framework. It provides a wealth of dynamic SQL tags and can flexibly construct database operation statements. Among them, the Set tag is used to generate the SET clause in the UPDATE statement, which is very commonly used in update operations. This article will explain in detail the usage of the Set tag in MyBatis and demonstrate its functionality through specific code examples. What is Set tag Set tag is used in MyBati
How to solve the 5120 error in SQL
Mar 06, 2024 pm 04:33 PM
Solution: 1. Check whether the logged-in user has sufficient permissions to access or operate the database, and ensure that the user has the correct permissions; 2. Check whether the account of the SQL Server service has permission to access the specified file or folder, and ensure that the account Have sufficient permissions to read and write the file or folder; 3. Check whether the specified database file has been opened or locked by other processes, try to close or release the file, and rerun the query; 4. Try as administrator Run Management Studio as etc.
C++ function parameter type safety check
Apr 19, 2024 pm 12:00 PM
C++ parameter type safety checking ensures that functions only accept values of expected types through compile-time checks, run-time checks, and static assertions, preventing unexpected behavior and program crashes: Compile-time type checking: The compiler checks type compatibility. Runtime type checking: Use dynamic_cast to check type compatibility, and throw an exception if there is no match. Static assertion: Assert type conditions at compile time.
Database technology competition: What are the differences between Oracle and SQL?
Mar 09, 2024 am 08:30 AM
Database technology competition: What are the differences between Oracle and SQL? In the database field, Oracle and SQL Server are two highly respected relational database management systems. Although they both belong to the category of relational databases, there are many differences between them. In this article, we will delve into the differences between Oracle and SQL Server, as well as their features and advantages in practical applications. First of all, there are differences in syntax between Oracle and SQL Server.
