lately , Our company's online business system has encountered a more difficult problem . The company's website online mall system was hacked , The user data in the database was stolen by hackers . Due to the disclosure of most customer information , The company received a customer complaint that the phone was often harassed , And receive advertising text messages . Due to the lack of professional safety technology, there is no experience in safety ,PHP The system is limited to the realization of functions . It seems that I need to learn something about safety SQL Injected attack , So I have to make up my mind , Work hard to learn about website security . Through continuous exploration , I found a better one PHP Safety books “PHP The road to safety ”. In the process of reading , I'll write down what I learned , So that we can learn and recall in the future .
After mastering the basic knowledge of website security , Through the access log and PHP Manual security analysis of the running log of the statement , The main source of the attack on the website is hidden in the website function code SQL Code injection vulnerability , To steal the website MYSQL Customer data in database . What measures should be taken for server security protection ?（2022 Essence of the year ）.
What is? SQL Code injection attack ?
as everyone knows ,SQL Injection vulnerability is one of the most harmful vulnerabilities among all website vulnerability types .SQL The principle of vulnerability injection is to submit parameter values through the normal request of the front-end customer , Submit illegal to server SQL Code command , Finally, it is inserted into the back-end database to execute the data set by the attacker SQL sentence . When communicating between the front end of the website and the database ,PHP The website code does not strictly check and prevent users from changing parameters at will . such as , Some parameter values allow strings to be written , Used to construct a malicious connection in the database SQL sentence , It's easy to hide potential website security risks . Server generation maintenance 2022 What are the contents of the year ?
SQL Injection will lead to the disclosure of database information , Especially the user privacy information stored in the database . Manipulate the database to tamper with specific website code , Modify the values of some fields in the database , Implant malicious code links , Implement website hanging horse attack , Jump to another website . The server may also be easily controlled remotely by hackers , Operating system provided by database server , Install and implant Trojan back door , An attacker can modify or control the operating system , Destroy hard disk data , And disable the system of the entire server . Common at present SQL Injection attacks include error reporting and injection , Normal injection , Implicit type injection , Blind injection , Wide byte injection and secondary decoding injection .PHP In the website SQL Injection vulnerability protection measures ：SQL Injection is the highest level vulnerability attack in the current website , It is also the easiest to protect . stay PHP In the source code ,SQL Injection code protection , It should be used reasonably MySQL Precompiled code provided by the database , Database connection usage PHP Data object extension or MySQL extend , precompile SQL Statement code into the website .
be based on MySQL Database PHP Precompiling process ,SQL Can be injected with malicious code , Mainly because its data and code instructions can be used at the same time . Query database using precompiled database , It can not only improve the security of the website , And it can improve the efficiency of website writing and query . Be a SQL When the statement needs to be executed more than once , Using precompiled statements can reduce processing time , increase sql Statement execution efficiency . In site code , Can pass PDO Module or MySQL Module pair SQL Precompile . Because pretreatment is SQL Statement submitted to MySQL
server And precompiled , When the client needs to execute SQL Statement time , Just upload the input parameters , Compare parameters to SQL Statement separation , Will not cause malicious parameter attacks , Fundamentally ensure the security of the database , And website security , If your website suffers SQL Injection attack , You can also find a professional website security company to repair it SQL Injection vulnerability , Domestic image SINE security , Green Alliance , Qiming star , Eagle Shield Security , Deeply convinced , They are all done quite well in China .