如何发送< title>标签来自< asp:textbox>使用sql注入 [英] how to send <title> tag from <asp:textbox> using sql injection
问题描述
当有人发送< title>< / title>时,我有点害怕这件事。使用sql注入标记到我的数据库。
任何人都可以告诉我这是怎么可能的。据我所知,默认标签如< title> < /标题>不可能去数据库,即使我不允许html标签进入我的数据库。然后怎么做。
任何例子都非常可观。
在此先感谢
这不是SQL注入问题 - 这是当用户输入数据时发生的特定问题,该数据通过键入文本字段并执行它们来破坏数据库作为说明:
myTextBox.Text = x' ; DROP TABLES学生; - ;
...
string sql = SELECT * FROM students WHERE username =' + myTextBox.Text + '跨度>;
...你通过总是使用参数化查询而不是连接字符串来解决它。
你所说的是一种形式的跨站点脚本 [ ^ ](XSS)攻击,解决方案完全不同。这可能有所帮助: http://www.acunetix.com/blog/articles/preventing-xss-attacks / [ ^ ]
Hi,
I'm little bit afraid of this thing when some one send <title></title> tag to my database using sql injection.
Can anyone tell me how that can be possible. As I know by default tags like <title> </title> are not possible to go to the database, Even I don't allow html tags to go to my database. Then how it can be done.
Any Example Is greatly appreciable.
Thanks In Advance
That isn't an SQL Injection problem - that is a specific problem that occurs when the user can enter data which corrupts your database by typing in text fields and having them executed as instructions:
myTextBox.Text = "x';DROP TABLES students;--"; ... string sql = "SELECT * FROM students WHERE username='" + myTextBox.Text + "'"; ...And you solve it by always using parametreized queries instead of concatenating strings.
What you are talking about is a form of Cross Site Scripting[^] (XSS) attack, and the solution is completely different. This may help: http://www.acunetix.com/blog/articles/preventing-xss-attacks/[^]
这篇关于如何发送< title>标签来自< asp:textbox>使用sql注入的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!