什么是SQL注入?

发布于 2024-08-20 17:03:49 字数 312 浏览 6 评论 0原文

可能的重复:
XKCD sql 注入 - 请解释
什么是 SQL 注入?

我见过“SQL 注入”这个术语,但仍然不明白它。它是什么?

Possible Duplicates:
XKCD sql injection - please explain
What is SQL injection?

I have seen the term "SQL injection" but still do not understand it. What is it?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(3

〃温暖了心ぐ 2024-08-27 17:03:49

SQL 注入是指有人将恶意内容插入到您的 SQL 查询之一中。

假设您有一个如下的 SQL 查询:

select * from people where name = '<name>' and password = '<password>'

现在假设 被某人在您的网页上键入的内容替换。如果有人输入这个作为他们的密码...

' or '' = '

...那么结果查询将是:

select * from people where name = 'someone' and password = '' or '' = ''

...这显然不是您的意图。您可以在此处阅读更多相关信息。

SQL injection is where someone inserts something malicious into one of your SQL queries.

Let's assume that you have an SQL query like this:

select * from people where name = '<name>' and password = '<password>'

Now let's assume that <name> and <password> are replaced by something someone types on your webpage. If someone typed this as their password...

' or '' = '

...then the resulting query would be:

select * from people where name = 'someone' and password = '' or '' = ''

...which was clearly not your intent. You can read more about it here.

梦醒灬来后我 2024-08-27 17:03:49

SQL 注入是攻击者能够操纵他们发送给您的数据的方式,欺骗您的程序将其中一些数据用作 SQL 命令。

例如,您可以访问此处

替代文本

SQL Injection is where an attacker is able to manipulate the data they send you in a manner that fools your program to using some of it as SQL commands.

For examples you could visit here

alt text

安稳善良 2024-08-27 17:03:49

当您构建 SQL 查询时,它通常包含各种位和片段,其中一些来自用户输入。例如,如果您的应用程序中有“搜索图书”功能,则图书名称是来自用户的字符串。

聪明、邪恶的用户可以操纵他们发送到您的应用程序的输入,这样根据此输入构建的 SQL 查询将是有害的。

因此,如果您像这样构建查询:

String q = "Select * from books where name='" + bookName + "'"

那么黑客可以搜索一本名为 "x'; delete from books where name like '%"

最终结果将是执行以下查询:
从 name='x' 的书籍中选择 *; delete from books where name like '%'

这将删除 book 表的所有记录。避免这种情况的标准方法是在构建包含用户提供的片段的查询时始终使用准备好的语句。

When you build an SQL query it usually contain all sort of bits and fragments, some of which come from user input. For example, if you have a "Search Book" facility in your app, then the name of the book is a string coming from the user.

Smart, evil users can manipulate the inputs that they send to your app such that the SQL query built from this input will be harmful.

So if you build your query like this:

String q = "Select * from books where name='" + bookName + "'"

Then a hacker can search for a book called "x'; delete from books where name like '%"

The net result will be that the following query will be executed:
Select * from books where name='x'; delete from books where name like '%'

This will delete all records of the book table. The standard way to avoid this is to always use prepared statements when building queries that include user-supplied pieces.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文