What are SQL injection, XSS and CSRF? This article will introduce you to SQL injection, XSS and CSRF. It has certain reference value. Friends in need can refer to it. I hope it will be helpful to you.
SQL injection
SQL injection is an injection attack. This kind of attack is because the code and data (such as user Sensitive data) isolation, caused by incorrectly executing the data as part of the code when reading the data.
A typical example is when concatenating strings in an SQL statement, directly using unescaped user input as a variable. At this time, as long as you make modifications in the middle of the sql statement, such as adding keywords such as drop and delete, the consequences after execution will be disastrous.
Speaking of which, how should we deal with this situation? Three aspects:
1. Filter special characters in user input parameters to reduce risks.
2. It is forbidden to splice sql statements through strings, and parameter binding must be strictly used to pass in parameters.
3. Reasonably use the mechanism provided by the database framework. For example, the method of passing in parameters provided by Mybatis is #{}. It is forbidden to use ${}. The latter is equivalent to string splicing SQL, and parameterized statements must be used.
To summarize, it is necessary to correctly use parameterized binding sql variables.
XSS
It refers to inserting malicious scripts into HTML pages requested by normal users through technical means and executing them.
This kind of attack is mainly used for information theft and destruction. For example, in the Weibo XSS attack in 2011, the attacker took advantage of the fact that the action-data vulnerability was not effectively filtered in the Weibo publishing function. When publishing Weibo information, he brought a URL containing the attack script, and users accessed it. Loading malicious scripts, causing a large number of users to be attacked.
Regarding preventing XSS, the main method is to filter or escape the data entered by the user. You can use the tool class HtmlUtil provided by the framework. In addition, when the front end displays data in the browser, it must use a secure API to display the data. For example, use innerText instead of innerHTML.
CSRF
Cross-site request forgery, without the user’s knowledge, pretends to be a user and sends a request to the currently logged in web page. Perform malicious operations on the website, such as malicious postings, changing passwords, etc.
Generally speaking, it overlaps with XSS. The former is when hackers steal the login information in the user's browser and impersonate the user to perform operations. The latter is to put malicious code in the HTML requested by normal users. The XSS problem lies in the user data not being escaped and filtered; the CSRF problem occurs in the HTTP interface that does not prevent untrustworthy calls.
Ways to prevent CSRF vulnerabilities:
1. CSRF Token verification, using the same origin restriction of the browser to verify the Token in the Cookie before the HTTP interface is executed. The request will continue to be executed only if passed.
2. Human-computer interaction, such as SMS verification code and interface slider.
Recommended video tutorials: "MySQL Tutorial"
The above is the entire content of this article, I hope it will be helpful to everyone's learning. For more exciting content, you can pay attention to the relevant tutorial columns of the PHP Chinese website! ! !
The above is the detailed content of What are SQL injection, XSS and CSRF?. For more information, please follow other related articles on the PHP Chinese website!
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
