By: Emiley J. in MySQL Tutorials on 2008年11月23日 [フレーム]
SQL Injection is a method in which an attacker inserts malicious code into queries that run on your database. Have a look at this example:
<?php
$query = "SELECT login_id FROM users WHERE user='$user' AND pwd='$pw'";
mysql_query($query);
?>
Voila ! Anyone can log in as any user, using a query string like http://example.com/login.php?user=admin'%20OR%20(user='&pwd=')%20OR%20user=', which effectively calls the following statements:
<?php
$query = "SELECT login_id FROM users WHERE user='admin' OR (user = '' AND pwd='') OR user=''";
mysql_query($query);
?>
It's even simpler with the URL http://example.com/login.php?user=admin'%23, which executes the query SELECT login_id FROM users WHERE user='admin'#' AND pwd=''. Note that the # marks the beginning of a comment in SQL.
Again, it's a simple attack. Fortunately, it's also easy to prevent. You can sanitize the input using the addslashes() function that adds a slash before every single quote ('), double quote ("), backslash (\), and NUL (0円). Other functions are available to sanitize input, such as strip_tags().
This policy contains information about your privacy. By posting, you are declaring that you understand this policy:
This policy is subject to change at any time and without notice.
These terms and conditions contain rules about posting comments. By submitting a comment, you are declaring that you agree with these rules:
Failure to comply with these rules may result in being banned from submitting further comments.
These terms and conditions are subject to change at any time and without notice.
Most Viewed Articles (in MySQL )
Use a dynamic table name in a SQL Server SELECT statement
Changing the Structure of an Existing Table in MySQL
Modify a auto_increment id column in mysql to accept a 5 digit random number instead
mysqldumpslow in MySQL - Summarize slow query log.
Finding slow queries in MySQL - Enable slow query log.
Sample my.cnf (my.ini) for MySQL with 1GB RAM
Inserting Data into Tables in MySQL
MySQL Strengths and Weaknesses
Modifying data and using WHERE clause in MySQL
Latest Articles (in MySQL)
Use a dynamic table name in a SQL Server SELECT statement
Finding slow queries in MySQL - Enable slow query log.
mysqldumpslow in MySQL - Summarize slow query log.
Sample my.cnf (my.ini) for MySQL with 1GB RAM
Modify a auto_increment id column in mysql to accept a 5 digit random number instead
Changing the Structure of an Existing Table in MySQL
Inserting Data into Tables in MySQL
Querying the Database in MySQL
Use a dynamic table name in a SQL Server SELECT statement
Finding slow queries in MySQL - Enable slow query log.
mysqldumpslow in MySQL - Summarize slow query log.
Sample my.cnf (my.ini) for MySQL with 1GB RAM
Modify a auto_increment id column in mysql to accept a 5 digit random number instead
Changing the Structure of an Existing Table in MySQL
Inserting Data into Tables in MySQL
Querying the Database in MySQL
© 2023 Java-samples.com
Tutorial Archive: Data Science React Native Android AJAX ASP.net C C++ C# Cocoa Cloud Computing EJB Errors Java Certification Interview iPhone Javascript JSF JSP Java Beans J2ME JDBC Linux Mac OS X MySQL Perl PHP Python Ruby SAP VB.net EJB Struts Trends WebServices XML Office 365 Hibernate
Latest Tutorials on: Data Science React Native Android AJAX ASP.net C Cocoa C++ C# EJB Errors Java Certification Interview iPhone Javascript JSF JSP Java Beans J2ME JDBC Linux Mac OS X MySQL Perl PHP Python Ruby SAP VB.net EJB Struts Cloud Computing WebServices XML Office 365 Hibernate