Notice
Recent Posts
Recent Comments
Link
ยซ   2025/12   ยป
์ผ ์›” ํ™” ์ˆ˜ ๋ชฉ ๊ธˆ ํ† 
1 2 3 4 5 6
7 8 9 10 11 12 13
14 15 16 17 18 19 20
21 22 23 24 25 26 27
28 29 30 31
Tags more
Archives
Today
Total
๊ด€๋ฆฌ ๋ฉ”๋‰ด

<Hello Hosung๐Ÿ˜Ž/>

[CS ์ง€์‹]SQL Injection ๋ณธ๋ฌธ

๐Ÿ“– CS Information

[CS ์ง€์‹]SQL Injection

์ขŒ์ถฉ์šฐ๋Œ ๋ฐฑ์—”๋“œ ๊ฐœ๋ฐœ์ž ์ผ๊ธฐ๐Ÿง 2024. 8. 15. 20:32

 

 

SQL Injection ์€ ๋ง ๊ทธ๋Œ€๋กœ SQL ๊ตฌ๋ฌธ์˜ ์ทจ์•ฝ์ ์„ ์ด์šฉํ•˜์—ฌ ๊ณต๊ฒฉํ•˜๋Š” ๋ฐฉ์‹์ž…๋‹ˆ๋‹ค.
์˜ˆ๋ฅผ ๋“ค์–ด ๋กœ๊ทธ์ธ์‹œ ํ•ด๋‹น ์œ ์ €์˜ ์•„์ด๋””์™€ ํŒจ์Šค์›Œ๋“œ๊ฐ€ ๋งž๋Š”์ง€ ๊ฒ€์‚ฌํ•˜๊ธฐ ์œ„ํ•ด ์•„๋ž˜์™€ ๊ฐ™์€ ๊ตฌ๋ฌธ์„ ์‚ฌ์šฉํ•  ๊ฒƒ์œผ๋กœ ์ƒ๊ฐ๋ฉ๋‹ˆ๋‹ค.

//SELECT * FROM USER WHERER ID='' AND PW ='';

 

๋งŒ์•ฝ ์•„์ด๋”” ์ž…๋ ฅ์ฐฝ์— TESTID' ๋ฅผ ์ž…๋ ฅํ•˜๊ฒŒ ๋˜๋ฉด '๊ฐ€ ํ•˜๋‚˜ ๋”์ฐํ˜€์„œ ์˜ค๋ฅ˜
//SELECT * FROM USER WHERER ID='TESTID'' AND PW ='';

๋งŒ์•ฝ ์•„์ด๋”” ์ž…๋ ฅ์ฐฝ์— ' or 1=1# ๋ฅผ ์ž…๋ ฅํ•˜๊ฒŒ ๋˜๋ฉด # ๋’ค๋กœ ์ฃผ์„์ฒ˜๋ฆฌ ๋˜์–ด์„œ ์ „์ฒด ๋ฐ์ดํ„ฐ๊ฐ€ ์ถœ๋ ฅ๋˜์–ด ๋กœ๊ทธ์ธ์ด ๋ ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

 


//SELECT * FROM USER WHERER ID='' or 1=1#' AND PW ='';

๊ทธ ์™ธ ์—ฌ๋Ÿฌ๊ฐ€์ง€ sql injection ๋ฐฉ๋ฒ•๋“ค์ด ์žˆ์Šต๋‹ˆ๋‹ค. ์ด๋Ÿฌํ•œ ๋ถ€๋ถ„์„ ์กฐ๊ธˆ์ด๋ผ๋„ ํ•ด๊ฒฐํ•˜๊ธฐ ์œ„ํ•ด์„œ๋Š” Statement ํด๋ž˜์Šค๊ฐ€ ์•„๋‹Œ
PreparedStatement ๋ฅผ ์‚ฌ์šฉํ•˜์—ฌ ํ•ด๋‹น ์•„์ด๋””์™€ ํŒจ์Šค์›Œ๋“œ๋ฅผ ์ธ์ž๊ฐ’์œผ๋กœ ๋ฐ›์•„์„œ ์œ„์™€ ๊ฐ™์€ ๋ถ€๋ถ„์„ ํ•ด๊ฒฐํ• ์ˆ˜ ์žˆ์—ˆ์Šต๋‹ˆ๋‹ค.
(ํ•ด๋‹น ํ…Œ์ŠคํŠธ๋Š” Mysql, Eclipse, JDBC ์‚ฌ์šฉํ•˜์˜€์Šต๋‹ˆ๋‹ค.)

//SQL Injection ๋ฐฉ์ง€
PreparedStatement stmt = con.prepareStatement("select * from member where id=? and pw=?");
stmt.setString(1, id);
stmt.setString(2, pw);

'๐Ÿ“– CS Information' ์นดํ…Œ๊ณ ๋ฆฌ์˜ ๋‹ค๋ฅธ ๊ธ€

[CS ์ง€์‹] JWT(Json Web Token) ์ด๋ž€  (1) 2024.11.16
[DB] ํšจ์œจ์ ์ธ ๋ฐ์ดํ„ฐ๋ฒ ์ด์Šค ์„ค๊ณ„๋ฅผ ์œ„ํ•œ ๋‹ค์–‘ํ•œ ์•„ํ‚คํ…์ณ  (3) 2024.11.15
[CS ์ง€์‹]Blocking/Non-Blocking, Sync/Async ๊ฐœ๋…  (0) 2024.08.16
[CS ์ง€์‹]XSS(ํฌ๋กœ์Šค์‚ฌ์ดํŠธ ์Šคํฌ๋ฆฝํŠธ)  (0) 2024.08.15
'๐Ÿ“– CS Information' Related Articles more