另一种形式的SQL注入 [英] Another form of SQL injection
问题描述
在许多网络文章中,人们专注于SQL注入形式:
eg
/ ************************************************** ******** /
$ name =" tom''UNION blah blah blah"
$ query =" SELECT * FROM users WHERE name = ''"。$ name。"'';
/ **************************** ********************** ******** /
但是,另一种形式的SQL注入可能是...的形式
/ ***************************** ********************* ******** /
$ name =" 1 UNION blah blah blah"
$ query =" SELECT * FROM users WHERE id ="。$ name;
/ **************** ********************************** ******** /
>
对于案例1,我们可以通过逃避特殊字符轻松解决
喜欢 ''",但如何解决案例2?
谢谢。
< blockquote> name =" tom''UNION blah blah blah"
query =" SELECT * FROM users WHERE name =''"。
name。"'';
/ **************************** ********************** ******** /
但是,另一种形式的SQL注入可能是...的形式
/ ***************************** ********************* ******** /
Hi,
In many web articles, people focusing on SQL injection in the form of :
e.g.
/************************************************** ********/
$name = "tom'' UNION blah blah blah"
$query = "SELECT * FROM users WHERE name = ''".$name."'';
/************************************************** ********/
However, another form of SQL injection might in the form of...
/************************************************** ********/
$name = "1 UNION blah blah blah"
$query = "SELECT * FROM users WHERE id = ".$name;
/************************************************** ********/
for case 1, we can easily solved by escaping the special characters
like " '' ", but how to solve for case 2?
Thanks.
name = "tom'' UNION blah blah blah"
query = "SELECT * FROM users WHERE name = ''".
name."'';
/************************************************** ********/
However, another form of SQL injection might in the form of...
/************************************************** ********/
这篇关于另一种形式的SQL注入的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!