SQL injection does not know how to effectively prevent, certainly not a good programmer

With the development of web application development, many programmers have entered the industry, but the technical level and programming experience of these people are different. Many people do not verify the legitimacy of the parameters input by users when they write code, which makes it a potential security hazard. If he encounters a technical expert and finds this problem, he can submit a database query script to get the data he wants. This is what we call SQL The introduction, that is, < p > P > a university has developed an online course system. Students need to select and complete their study in the system. There is a table come in the database, which contains the information and completion of each student. The specific design is as follows: [/p > < p > 2 It seems like there’s no problem, right, but do you believe I can get all the student data through this interface, don’t you? To implement this interface, it is OK to ensure that the SQL script where condition is true. The following script is also simple: [/p > < p > it is also simple. We only need to set studendid to 4 or 1 when requesting the interface= 1. This SQL has the same where condition. SQL is the same as the following. [/p > < p > here, terror is not only to get all your data, but also to update, delete and other operations on your database. This way, the parameter 4 or 1 = 1 we pass in will be considered as a student_ ID, so SQL injection will not appear. Older posts →

Author: zmhuaxia