The so-called SQL injection is to submit or input the query string of domain name or page request by inserting SQL command into Web form, thus deceiving the server to execute malicious SQL command. Specifically, it is the ability to use existing applications to inject (malicious) SQL commands into the background database engine for execution. It can get the database on the website with security holes by inputting (malicious) SQL statements in the web form, instead of executing the SQL statements according to the designer's intention. For example, in the past, many film and television websites leaked the passwords of VIP members, and most of them submitted query characters through web forms, which was particularly vulnerable to SQL injection attacks. \x0d\ protection \ x0d \ can be summarized as follows: \x0d\ 1. Never trust the user's input. You can check the user's input by regular expressions or limiting the length; Convert single quotation marks and \x0d\ double "-"and so on. \x0d\2。 Never use dynamically assembled sql. You can use parameterized sql or directly use stored procedures for data query and access. \x0d\3。 Instead of using a database connection with administrator rights, use a separate database connection with limited rights for each application. \x0d\4。 Do not directly store confidential information, encrypt or hash out passwords and sensitive information. \x0d\5。 Give as few hints as possible about the abnormal information of the application, and it is best to package the original error information with the user-defined error information. \ x0d \ 6。 The detection method of sql injection generally adopts auxiliary software or website platform. Generally, the software adopts the SQL injection detection tool jsky, and the website platform has the detection tool of the E-safe website platform. MDCSOFT scanning, etc. MDCSOFT-IPS can effectively defend against attacks such as SQL injection and XSS.