????SQL????????
???????????? ???????[ 2016/10/19 16:03:55 ] ????????SQL??? ?????
????????SQL???
????SQL???????SQL Injection????????????????Web?????谐???????????????????????????????????????????????????????????????????????????????????卸?????????????锌?????????????????????????
?????????SQL?????????????????????效??????????????????????????????????????SQL??????????????????????????????????????????????????校???????????????????????????????????????????????
????SQL??????
???????Web??????????????SQL???????????????????SQL????????????蔚????睢�?????SQL??????????????????????????????????????????????????锌??????SQL?????????????????????睢�
???????娼�????些??????????????????SQL????????
<form action="/login" method="POST">
<p>Username:<input type="text" name="username" /></p>
<p>Password:<input type="password" name="password" /></p>
<p><input type="submit" value="???" /></p>
</form>
?????????????????SQL?????????????
username:=r.Form.Get("username")
password:=r.Form.Get("password")
sql:="SELECT * FROM user WHERE username='"+username+"' AND password='"+password+"'"
?????????????????????????锟�?????????:
????myuser' or 'foo' = 'foo' --
????????????SQL??????????????
????SELECT * FROM user WHERE username='myuser' or 'foo'=='foo' --'' AND password='xxx'
??????SQL????--??????????????????????卸?????霉????????????魏魏??????????????????3????????
????????MSSQL???懈???危??????SQL??????????????????????渭???????????????些?姹�??MSSQL???????????????睢�
????sql:="SELECT * FROM products WHERE name LIKE '%"+prod+"%'"
????Db.Exec(sql)
?????????????a%' exec master..xp_cmdshell 'net user test testpass /ADD' --??????? prod????????sql??????
????sql:="SELECT * FROM products WHERE name LIKE '%a%' exec master..xp_cmdshell 'net user test testpass /ADD'--%'"
??????????SQL???
??????????????????????????????????????SQL????????????????????????????????貌?????些??????????????????????????泄???危?????????????????????????????????????????????????????????????????????????些???????????????????????????Discuz??phpwind??phpcms????些???械????????斜?SQL?????????????
??????些?????????????????????????????????????????????????????????????????????????????????????????????? cookie?????????????????????????????????????锌???????????
????SQL???????危??????????????????????????????些???????????SQL???????????????
???????????Web??????????????????????????????????????涔�??????????????????????????????????危????
??????????????????????????????????????????????????????????????regexp???????些?????????????strconv???????????????????????????????????卸??
????????????????????????'"??????&*;?????????宕�?????????????Go ??text/template???????HTMLEscapeString????????????????????宕�???
???????械?????浣�???????????????????????????????????????貌???????????????????????SQL????校????????????SQL??????????database/sql???????????Prepare??Query??????Exec(query string?? args ...interface{})??
????????梅????????????????SQL?????????屑????????????????SQL?????????????泻??????????????????sqlmap??SQLninja???
????????????????SQL??????????????????????尾??????????????SQL??????????????????????????些???????????SQL???
???????
???????????????????????????SQL?????危??????????????????????????????写??Web??????????????小??????????????????????????????????写Web????????????
??????

???路???
??????????????????
2023/3/23 14:23:39???写?貌??????????
2023/3/22 16:17:39????????????????????些??
2022/6/14 16:14:27??????????????????????????
2021/10/18 15:37:44???????????????
2021/9/17 15:19:29???路???????路
2021/9/14 15:42:25?????????????
2021/5/28 17:25:47??????APP??????????
2021/5/8 17:01:11