SQL Injection Attack is to use the design vulnerability, running the SQL command on the target server and performing other ways to dynamically generate the SQL command to verify the data input by the user is the main reason for the SQL injection attack. For example: If your query statement is select * from admin where username = '"& user &"' and password = '"& pwd &"' "
So, if my username is: 1 'or' 1 '=' 1, your query statement will become: select * from admin where username = '1 or' 1 '=' 1 'and password =' "& PWD &" '"so your query statement passes, so you can enter your management interface.
Therefore, it is necessary to check the user's input. Special characters, such as single quotes, double quotes, semicolons, commas, colons, connect numbers, etc. Conversion or filtering.
Special characters and strings that need to be filtered include: net user xp_cmdshell / add exec master.dbo.xp_cmdshell net localgroup administratrs Select Count Asc char MID ': "INSERT Delete from Drop Table Update Truncate from)
Below is the two kinds of defense code I have written to solve the injection attack, for everyone to learn! JS version of the anti-SQL injection attack code ~:
