这是SQL注入错误?
[英]is this sql injection error?
问题描述
i want to know if is this sql injection error or what ? 
我想知道这是SQL注入错误还是什么? and what db is there ? 还有什么分贝? mssql ? mssql的?
A Database Error Occurred 发生数据库错误
Error Number: 1054
Unknown column '20and' in 'where clause'
For Query :- 查询 :
select * from static_info where main_id=60%20and
and language_code='az' order by id desc
At Location :- 在位置 :-
Filename: /home/test/public_html/controllers/welcome.php
Line Number: 115
3 个解决方案
解决方案1
0 2015-01-07 06:32:49
You need to use single quotes for character columns 您需要对字符列使用单引号
select * from static_info where main_id='60%20and' and language_code='az'
order by id desc
解决方案2
0 2015-01-07 06:35:59
Yes this can be said as sql injection,because user can access your database from UTL, User can easily execute queries in database and harm to your database, If you notice [link] http://nidavh.org/news_index/1 , this will execute as a "select * from static_info where main_id=1 ..." and i can see staic pages by id. 是的,这可以说是sql注入,因为用户可以从UTL访问您的数据库,用户可以轻松地在数据库中执行查询并损害您的数据库,如果您注意到[link] http://nidavh.org/news_index/1 ,将执行为“ select * from static_info where main_id = 1 ...”,我可以通过id看到静态页面。 I hope you got my point 我希望你明白我的意思
You should use parameterized query to prevent sql injections 您应该使用参数化查询来防止SQL注入
Select * from TableName where Columnname1='Your Paremeters' and Columnname2='Your Parameters'
解决方案3
0
They are using Codeigniter for the framework, 他们使用Codeigniter作为框架,
the error which you posted is just telling you there's no 20and field existed, 您发布的错误只是告诉您不存在20and字段,
it's just an 404 Not Found like error, and the symbol which you trying to use will be escape , 它只是一个404 Not Found这样的错误,您尝试使用的符号将被转义 ,
that's one way to prevent SQL injection, there's a lot also. 那是防止SQL注入的一种方法,还有很多。
And if you trying to SQL injection then you'll get the following error: 而且,如果您尝试进行SQL注入,则会收到以下错误:
An Error Was Encountered
The URI you submitted has disallowed characters.
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.