What Is a Code Injection?
With the development of B / S mode application development, more and more programmers use this mode to write applications. However, because the level and experience of programmers are also uneven, a considerable part of programmers do not judge the legitimacy of user input data when writing code, which makes the application program have potential security risks.
- Users can submit a piece of database query code, root
- According to the results returned by the program, some data he wants to know is obtained. This is the so-called SQL injection, that is, SQL injection.
- To avoid the problems of code injection, we must make full use of input and output processing preservation, such as:
- Enter confirmation.
- Replace dangerous characters. For example, in PHP, SQL injection is protected by the addslashes () function.
- Enter the encoding.
- Output encoding.
- Use other programming implementations that are not plagued by code injection vulnerabilities, such as "parameterized SQL queries" (also known as "prepared statements" and sometimes "bind variables") [2]