sql 注入
<p><span style="font-size:10.5ptpx"><span style="color:
#24292e"><span style="background-color:
#ffffff"><span style="letter-spacing:0ptpx">就是通过把SQL命令插入到Web表单递交或输入域名或页面请求的查询字符串,最终达到欺骗数据库服务器执行恶意的SQL命令,从而达到和服务器</span></span></span></span><br/><span style="font-size:10.5ptpx"><span style="color:
#24292e"><span style="background-color:
#ffffff"><span style="letter-spacing:0ptpx">进行直接的交互</span></span></span></span></p><p><br/><span style="color:
#24292e"><span style="background-color:
#ffffff"><span style="letter-spacing:0ptpx"><span style="font-size:14ptpx"><strong>预防方案</strong></span></span></span></span><br/></p><ul><li><span style="font-size:10.5ptpx"><span style="color:
#24292e"><span style="background-color:
#ffffff"><span style="letter-spacing:0ptpx">i)后台进行输入验证,对敏感字符过滤。</span></span></span></span></li><li><span style="font-size:10.5ptpx"><span style="color:
#24292e"><span style="background-color:
#ffffff"><span style="letter-spacing:0ptpx">ii)使用参数化查询,能避免拼接SQL,就不要拼接SQL语句。</span></span></span></span></li></ul><p><br/></p>
