WEB°²È«½â¾ö·½°¸Ò»Ö®SQL×¢Èë·À·¶

Ò»¡¢SQL×¢Èë·À·¶
ÔÚÒ»¸öWEB¶¯Ì¬Ò³ÃæÖУ¨ÀýÈçaspx»òÕßjsp£©£¬Õâ¸öÒ³ÃæÔÊÐíÓû§ÔÚÊäÈë¿òÖÐÊäÈë×Ö·û£¬Õâ¸ö×Ö·û¿ÉÒÔ±»ÒýÈëµ½Êý¾Ý¿âÖÐÈ¥½øÐвéѯ£¨ÕâÀïµÄ²éѯÊÇͨÓõÄ˵·¨£¬Êµ¼ÊÉÏ°üÀ¨ÁËÔöɾ¸Ä²é£©²Ù×÷¡£Ò»¸öºÚ¿ÍÔÚÕâ¸öÊäÈë¿òÖÐÊäÈëÁËÒ»¸ö»ûÐβéѯ×Ö·û´®£¬´Ó¶ø¸Ä±äÁËÔ­ÓеIJéѯ£¬Õâ¿ÉÒÔ±»ÓÃÀ´²åÈ룬¸Ä±ä£¬»òË𺦺ǫ́Êý¾Ý¿â¡£Ôõô¿ÉÄÜÄØ£¿Çë¿´ÏÂÃæµÄÀý×Ó¡£
       ÒԵǽΪÀý£¬ºǫ́´úÂëͨ¹ý¹¹ÔìSQLÓï¾ä“select * from user where   username = 'txtUserName.Text.Trim() 'and password ='txtPwd.Text.Trim()';Èç¹ûÓû§ÔÚÊäÈë¿òÖÐÊäÈëÓû§ÃûΪadmin'or'1'='1, ÈúóÈÎÒâÊäÈë±ÈÈç123ΪÃÜÂ룬Ôòºǫִ́ÐеÄSQLÓï¾äΪselect * from user where username='admin'or'1'='1'and password='123';ÕâÊÇ£¬ÎÞÂÛÃÜÂëÊÇ·ñÕýÈ·£¬×îÖÕSQLÓï¾ä²éѯ½á¹û¶¼²»Îª¿Õ£¬Õâ±ãÊÇÒ»¸öµäÐ͵ÄSQL×¢Èë¹¥»÷£¬Í¨¹ý´ËÖÖ·½Ê½£¬¹¥»÷Õ߳ɹ¦ÈƹýÃÜÂëÑéÖ¤£¬µÇ½ϵͳ¡£Ò»¸öµäÐ͵Ľâ¾ö·½°¸Êǹ¹Ôì“select count(*) from user where username='txtUserName.Text.Trim() 'and password = 'txtPwd.Text.Trim()'ÕâÑùµÄSQLÓï¾ä£¬ÕâÑùÈç¹û¹¥»÷Õß²ÉÈ¡ÉÏÊö¹¥»÷·½Ê½£¬Ôò»áÒòΪ·µ»ØµÄcountÖµ´óÓÚ1¶øÑé֤ʧ°Ü¡£ 
 µ«ÎÊÌâ²¢²»»áÒò´Ë½áÊø£¬Èç¹û¹¥»÷Õß¹¹ÔìÈçÏµĹ¥»÷Óï¾äÄØ£¿±ÈÈç“select count(*) from user where username=’txtUserName.Text.Trim() ‘--and password =’txtPwd.Text.Trim’£¬×¢Òâ¼Ó´ÖµÄ²¿·Öʵ¼ÊÉÏÊDZ»×¢Ê͵ôÁË£¬Ò²¾ÍÊÇ˵ÑéÖ¤½«»á³É¹¦¡£¸üÀ÷º¦µÄ£¬¹¥»÷Õ߻ṹÔì³ö“select count(*) from user where username ='txtUserName.Text.Trim() ';drop table user ;--’ and password ='txtPwd.Text.Trim';×¢Òâµ½²»½öÑé֤ͨ¹ý£¬¶øÇÒuser±í±»É¾³ý£¬ÕâÏÂ×ÓË­¶¼²»ÒªÏëÔٵǽÁË¡£
 ÀàËƵģ¬ºÚ¿ÍÃÇͨ¹ý¾«ÇɵĹ¹Ô죬¿ÉÒÔ´ïµ½ÈƹýÃÜÂëÈÏÖ¤£¬ÐÞ¸ÄÆÆ»µ¹Ø¼üÊý¾Ý£¬ÄËÖÁ»ñȡϵͳÍêÈ«¿ØÖÆȨµÄÄ¿µÄ¡£ÕâÀïÄãÒ²Ðí»áÎʹ¥»÷ÕßÈçºÎµÃµ½Êý¾Ý¿âÖеıíÃûºÍ×ֶΣ¬ÕâÀïÒ»ÖÖ·½·¨ÊDZ©Á¦Æƽ⣬¸ù¾Ý¹æÂɳ¢ÊÔ£¬±ÈÈçϵͳ¶à´æÔÚuser±í£¬ÓÃÀ´´æ·ÅÓû§ÐÅÏ¢¡£ÁíÍâÒ»ÖÖ·½·¨ÊÇÀûÓÃSQL×¢Èë¹¥»÷²Â½â£¬Í¨¹ý¹¹ÔìһЩÄܹ»Ê¹Êý¾Ý¿â²úÉú´íÎóÐÅÏ¢µÄSQLÓï¾ä£¬»ñÈ¡Êý¾Ý¿âµÄÃô¸ÐÐÅÏ¢£¬½øÐбíÃûºÍ×ֶεIJ½⣬ÃÜÂëÆƽâµÈ¡£
½â¾ö·½·¨
1.   ±ÜÃâʹÓö¯Ì¬Éú³ÉµÄSQLÓï¾ä
ͨ¹ý×Ö·û´®Ïà¼ÓµÄ·½Ê½¶¯Ì¬Éú³ÉµÄSQLÓï¾äÕýÊÇSQL×¢ÈëµÄÍò¶ñÖ®Ô´£¬