什么是SQL注入?
我见过“SQL 注入”这个术语,但仍然不明白它。它是什么?
Possible Duplicates:
XKCD sql injection - please explain
What is SQL injection?
I have seen the term "SQL injection" but still do not understand it. What is it?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
SQL 注入是指有人将恶意内容插入到您的 SQL 查询之一中。
假设您有一个如下的 SQL 查询:
现在假设
...那么结果查询将是:
...这显然不是您的意图。您可以在此处阅读更多相关信息。
SQL injection is where someone inserts something malicious into one of your SQL queries.
Let's assume that you have an SQL query like this:
Now let's assume that
<name>and<password>are replaced by something someone types on your webpage. If someone typed this as their password......then the resulting query would be:
...which was clearly not your intent. You can read more about it here.
SQL 注入是攻击者能够操纵他们发送给您的数据的方式,欺骗您的程序将其中一些数据用作 SQL 命令。
例如,您可以访问此处
SQL Injection is where an attacker is able to manipulate the data they send you in a manner that fools your program to using some of it as SQL commands.
For examples you could visit here
当您构建 SQL 查询时,它通常包含各种位和片段,其中一些来自用户输入。例如,如果您的应用程序中有“搜索图书”功能,则图书名称是来自用户的字符串。
聪明、邪恶的用户可以操纵他们发送到您的应用程序的输入,这样根据此输入构建的 SQL 查询将是有害的。
因此,如果您像这样构建查询:
那么黑客可以搜索一本名为
"x'; delete from books where name like '%"最终结果将是执行以下查询:
从 name='x' 的书籍中选择 *; delete from books where name like '%'这将删除 book 表的所有记录。避免这种情况的标准方法是在构建包含用户提供的片段的查询时始终使用准备好的语句。
When you build an SQL query it usually contain all sort of bits and fragments, some of which come from user input. For example, if you have a "Search Book" facility in your app, then the name of the book is a string coming from the user.
Smart, evil users can manipulate the inputs that they send to your app such that the SQL query built from this input will be harmful.
So if you build your query like this:
Then a hacker can search for a book called
"x'; delete from books where name like '%"The net result will be that the following query will be executed:
Select * from books where name='x'; delete from books where name like '%'This will delete all records of the book table. The standard way to avoid this is to always use prepared statements when building queries that include user-supplied pieces.