We will look at several scenarios under which SQL injection may occur, even though mysql_real_escape_string() has been used. There are two major steps at writing SQL injection resistant code: correct validation and escaping of input and proper use of the SQL syntax. Failure to comply with any of them may lead to compromise. Many of the specific issues are already known, but no single document mentions them all.
Although the examples are built on PHP/MySQL, the same principles apply to ASP/MSSQL and other combinations of languages and databases.
分享本身就是件快乐的事 我因别人得到帮助而感到幸福
The Unexpected SQL Injection
2007年9月1日 10:53:12 发布:Trace
固定链接 | 分类:Papers | 评论:0 | 引用:0 | 浏览:
Powered By Z-Blog .Theme from Google黑板报 By Washun
Copyright 2008-2009 Pcsec.org. Some Rights Reserved.苏ICP备08110306号
Search
网站分类
文章归档
- 2009 December (14)
- 2009 November (7)
- 2009 October (3)
- 2009 September (6)
- 2009 August (11)
- 2009 July (14)
- 2009 June (11)
- 2009 May (29)
- 2009 April (25)
- 2009 March (34)
- 2009 February (26)
- 2009 January (32)
- 2008 December (54)
- 2008 November (66)
- 2008 October (87)
- 2008 September (7)
- 2008 August (6)
- 2008 July (9)
- 2008 May (2)
- 2008 April (3)
- 2008 March (3)
- 2008 January (1)
- 2007 October (1)
- 2007 September (1)
- 2007 August (1)
- 2007 April (1)
- 2007 March (1)
- 2007 February (3)
- 2006 May (1)
- 2006 February (1)
- 2004 October (1)