SQL inyeksiya hujumiga zaiflikni avvalambor dinamik so’rov orqali bazaga murojat qilish keltirib chiqaridi.
Masalan:
$id;
$query = “SELECT * FROM tablename WHERE id –'” + $id + “’;”
Bunday hujumdan himoyalanish uchun maxsus belgilarni almashtirib qo’yish mumkin. Masalan ( ' ) qo’shtirnoq belgisini va (;) nuqtali vergul belgilarini xuddi shunday tasvirlanadigan ammo dastur boshqa belgi deb tushunadigan belgilarga almashtirib qo’yish mumkin.
SQL inyeksiyadan himoyalanish
Hujumdan himoyalanishning eng samarali yo’li tayyorlangan so’rovlardan foydalanish orqali ma’lumotlar bazasiga murojat qilish hisoblanadi. Bunday so’rovga quyidagini misol qilib keltirish mumkin:
$stmt = $conn->prepare("INSERT INTO MyGuests (firstname, lastname, email) VALUES (?,
?, ?)");
$stmt->bind_param("sss", $firstname, $lastname, $email);
Yoki
mysql> PREPARE stmt1 FROM 'SELECT SQRT(POW(?,2) + POW(?,2)) AS hypotenuse’;
mysql> SET @a = 3;
mysql> SET @b = 4;
mysql> EXECUTE stmt1 USING @a, @b;
SQL inyeksiyadan himoyalanish
Inson omilini hisobga oladigan bo’lsak hamma joyda ham tayyorlangan himoya usulini qo’llash yoddan ko’tarilishi mumkin. Shuning uchun himoyaning ikki turini ham qo’llagan ma’qul.
Etiboringiz Uchun raxmat!
