Problem description:
for many developer, they don't care much about Passcode identity. when Logining into the database server ,they just write like this:
sql="select * from user where username='"+username"' and password='"+password+"'
as for this SQL statement is very dangerous or useless when someone use a special username to login ,just like set username as hacker' or '1'=1', and the identify statement will be the following:
username='hacker' or '1'=1' and password=*******
we can see that this statement will always be true!! that is key issue!!!
Problem solution:
we must make some deal with the variable username and password when any client inputs their usename and password. for example ,we can re_encode the usename and password to ignore or delete all special character such as ',=,...
相关文章: