Someone has dropped a table in my database. How?

2018-07-03 13:01:19

This question already has an answer here:

SQL injection that gets around mysql_real_escape_string() 4 answers

he probably entered the next string '1'; ;

If I'm not mistaken, this php function will not prevent sql injection, it only make sure the sql string is legal and SELECT categories.id AS cid, categories.title AS ctitle FROM categories WHERE cid='-1'; SQL INJECTION STRING ; is a legal string for sql

Have you taken measures to ensure that sql injection is not possible? Some things you can do to prevent injection is by using mysql_real_escape_string() before the query to escape any quotes on post and get variables, or using prepared statements with mysqli or PDO instead of using mysql_query. Also as an additional safeguard, you can create a separate user for connecting to mysql that has limited access, and not allowing that user to use DROP, etc.

链接地址: http://www.djcxy.com/p/93452.html

上一篇: 有没有办法在我的代码中注入SQL？

下一篇: 有人在我的数据库中放了一张桌子。怎么样？