SQL infuse flaw is contacted completely (1)

As the development of B/S mode application development, the programmer that uses this kind of mode to write applied program is increasing also. But the introductory threshold as a result of this industry is not high, the level of programmer and experience are uneven also, quite big when one part programmer is writing code, did not undertake judging to the lawful sex of user data-in, make apply a program to be put in safe hidden trouble. The user can refer a paragraph of database to inquire code, according to the result that the program returns, obtain certain the data that he considers to be informed, this is so called SQL Injection, namely SQL infuse.
SQL infuse is from normal WWW port is visited, and the surface visits distinction of it doesn't matter with general Web page it seems that, at present so the firewall of market won't issue warning to SQL infuse, if the administrator does not have the habit that examines IIS daily record, the likelihood is inbreaked for a long time to won't detect.
But, the gimmick of SQL infuse is quite agile, in infuse when the situation that can encounter a lot of accidents. Can undertake an analysis according to particular case, tectonic and clever SQL statement, get wanted data successfully thereby, be ace and " dish bird " essential distinction.
According to national condition, domestic website uses ASP Access or SQLServer occupy 70% above, PHP MySQ occupies L20% , other inadequacy 10% . In the article, we from cent introduction, enter rank the method that supreme class explains ASP infuse and skill, the article of PHP infuse by the compose of another friend Zwell of NB alliance, the hope has use to safe worker and programmer. The friend that knows ASP infuse also does not jump over an introduction please piece, because partial person is right,the basic judgement method of infuse returns existence error. Is everybody ready? Let's Go. . .
Introduction piece
If SQL infuse had not tried before you, so the first pace shows advanced => of => of option of =>Internet of tool of IE menu => to the scratch out before friendly HTTP wrong message is dropped first. Otherwise, no matter the server returns what error, IE shows only for mistake of HTTP 500 server, cannot obtain more clew information.
Principle of infuse of the first section, SQL
The following we begin from Www.19cn.com of a website (note: Before the article is published, already asked for so that this station stationmaster agrees, it is real data for the most part) .
On website home page, famous for " a variety of means of settlements that IE cannot open new window " link, the address is: Http://www.19cn.com/showdetail.asp? Id=49, we add only quote ' at the back of this address, the server can return the wrong clew below:
Wrong '80040e14' of Microsoft JET Database Engine
Previous12 Next