SQL注入如何获得结果 [英] sql injection how can I get the result

问题描述

在sql注入中，当我输入恶意注入并由服务器端执行时，如果服务器未显示结果，我该如何获取结果

我可以将其重定向到我设计的另一个页面以显示结果

任何想法
感谢all

in sql injection when I enter the malicious injection and it execute by the server side and if the server doesn''t display the result back how can I get the result

can I redirect it to another page designed by me to display the result

any idea
thanks all

推荐答案

这取决于页面实际执行的操作，如果该页面就像登录名一样，则这是不可能的.因为该SQL在目标服务器SQL数据库上执行.数据的读取位置由服务器端代码确定，因此使用
SQL命令
而SQL数据适配器则是为了减少来自SQL Server的结果.

例如，如果页面显示直接从其检索的数据派生出网格whos模式，则可以构建联接语句，以便从其他表中化数据

但是通常，具有特定功能的附加模式的网格都是硬编码的，而不管查询什么数据列，它只会显示某些列.

SQL注入攻击的目标更多是数据的破坏，而不是数据的获取.但只能在极少数情况下用于从服务器提取数据，但是任何将其数据页暴露在外的人都不允许在任何高价值站点上工作(取决于所涉及的公司).

That depends on what the page is actually doing if the page is like a login this would be impossible. becuase the SQL gets executed on the target servers SQL database. where the data gets read into is determined by the server side code hence the use of
SQL commands
And SQL data adapters in order to cuture the result from the SQL server.

if the page displays for instance a grid whos schema is directly derrived from the data it retrieves you could build in a join statment in order to pupulate the data from other tables

But usually grids with specific functions attached schema is hard coded regardless of what data columns gets queried it will only display certain columns.

A SQL injection attack is more aimed at the destruction of data than it is at the retrieval of data. but can only be used in very select cases to pull data off a server, but anyone who would leave their data pages that exposed wouldnt be allowed to work on any site of high value(depending on company involved).

建议:
始终为SQL注入做好准备.编写参数查询以防止SQL注入.
如果要发送数据，则仅重定向到另一个页面，否则将其发布回该页面.

Suggestion :
Always be prepare for SQL injection. Write Parametric query to prevent from SQL injection.
If data is coming than only redirect to another page else post back to that page.

这篇关于SQL注入如何获得结果的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！