黄舟2017-04-17 16:25:38
可注入的sql:
$id=$_REQUEST['id'];
$name=$_REQUEST['name'];
select * from members where id=$id;
select * from members where id='".$id."'";
select * from members where name='".$name."'";
不可注入:
select * from members where id='".intval($id)."'";
select * from members where name=".sql_escape($name);
PHP中文网2017-04-17 16:25:38
Filter user input, limit type and size, and parameterize sql statements. In addition, parameter vulnerabilities of webservices should also be considered.
PHP中文网2017-04-17 16:25:38
Using JavaEE's PreparedStatement interface can easily prevent SQL injection. The drivers of various DataBase manufacturers have implemented it well. The Druid connection pool also helps you filter SQL to prevent injection. Jenkins can be used with some plug-ins, such as findBugs, to find possible SQL injection behaviors.
PHPz2017-04-17 16:25:38
1/Front-end input uses jsoup filtering. jsoup can also customize various filtering rules.
2/Use an ORM framework such as ibatis to bind parameters for SQL execution.