Home >Database >SQL >Can sql injection be entered directly through a web form?

Can sql injection be entered directly through a web form?

王林
王林Original
2021-02-18 17:09:375884browse

SQL injection can generally be entered directly through a web form. SQL injection means that the web application does not judge the legality of user input data or does not strictly filter it. Attackers can add additional SQL statements to achieve illegal operations.

Can sql injection be entered directly through a web form?

The operating environment of this article: windows 10 system, mysql 5.7, thinkpad t480 computer.

SQL injection means that the web application does not judge the legality of the user input data or does not filter it strictly. The attacker can add additional SQL statements at the end of the predefined query statements in the web application. , to implement illegal operations without the administrator's knowledge, in order to deceive the database server into performing unauthorized arbitrary queries, thereby further obtaining corresponding data information.

Features:

1. Universality

Any database based on SQL language may be attacked. Many developers fail to understand the input parameters when writing Web applications. , Web forms, cookies, etc. receive values ​​for normative verification and detection, SQL injection vulnerabilities usually occur.

2. Concealment

SQL injection statements are generally embedded in ordinary HTTP requests and are difficult to distinguish from normal statements. Therefore, many current firewalls cannot recognize and warn, and SQL injection There are many variants, and attackers can adjust the parameters of the attack, so using traditional methods to defend against SQL injection is very unsatisfactory.

3. Big harm

The attacker obtains the server's library name, table name, and field name through SQL injection, thereby obtaining the data in the entire server, which is harmful to the data security of website users. A great threat. An attacker can also obtain the password of the backend administrator through the obtained data, and then maliciously tamper with the web page. This not only poses a serious threat to database information security, but also has a significant impact on the security of the entire database system.

4. Easy to operate

There are many SQL injection tools on the Internet, which are easy to learn, have a simple attack process, and can be used freely without professional knowledge.

Related recommendations: mysql tutorial

The above is the detailed content of Can sql injection be entered directly through a web form?. For more information, please follow other related articles on the PHP Chinese website!

Statement:
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn