Can sql injection be entered directly through a web form?
- 王林Original
- 2021-02-18 17:09:375849browse
SQL injection can generally be entered directly through a web form. SQL injection means that the web application does not judge the legality of user input data or does not strictly filter it. Attackers can add additional SQL statements to achieve illegal operations.
The operating environment of this article: windows 10 system, mysql 5.7, thinkpad t480 computer.
SQL injection means that the web application does not judge the legality of the user input data or does not filter it strictly. The attacker can add additional SQL statements at the end of the predefined query statements in the web application. , to implement illegal operations without the administrator's knowledge, in order to deceive the database server into performing unauthorized arbitrary queries, thereby further obtaining corresponding data information.
Features:
1. Universality
Any database based on SQL language may be attacked. Many developers fail to understand the input parameters when writing Web applications. , Web forms, cookies, etc. receive values for normative verification and detection, SQL injection vulnerabilities usually occur.
2. Concealment
SQL injection statements are generally embedded in ordinary HTTP requests and are difficult to distinguish from normal statements. Therefore, many current firewalls cannot recognize and warn, and SQL injection There are many variants, and attackers can adjust the parameters of the attack, so using traditional methods to defend against SQL injection is very unsatisfactory.
3. Big harm
The attacker obtains the server's library name, table name, and field name through SQL injection, thereby obtaining the data in the entire server, which is harmful to the data security of website users. A great threat. An attacker can also obtain the password of the backend administrator through the obtained data, and then maliciously tamper with the web page. This not only poses a serious threat to database information security, but also has a significant impact on the security of the entire database system.
4. Easy to operate
There are many SQL injection tools on the Internet, which are easy to learn, have a simple attack process, and can be used freely without professional knowledge.
Related recommendations: mysql tutorial
The above is the detailed content of Can sql injection be entered directly through a web form?. For more information, please follow other related articles on the PHP Chinese website!