This article details a step‑by‑step penetration test on a university’s web platform, covering XSS file uploads, JWT tampering for arbitrary login, massive personal data leakage, SQL injection payloads, and the exposure of several AK/SK secrets, all with concrete screenshots and commands.
The article details a hands‑on investigation of a web application firewall that strips SQL keywords, shows how order‑by and CASE‑WHEN payloads can be used to probe column limits, construct blind injection strings, and ultimately achieve data extraction despite multiple filtering layers.
The article explains the FortiGhost (CVE‑2026‑21643) pre‑authentication SQL injection RCE vulnerability in FortiClient EMS and provides specific Google and Shodan search queries—title, HTML content, and favicon hash—to discover vulnerable instances.
During an authorized penetration test of a financial institution’s website protected by Alibaba Cloud WAF, the author discovered a SQL injection point, used MySQL’s chain‑comparison feature to close the injection, identified the database type, and crafted boolean‑based payloads—including POSITION and binary tricks—to extract the current user name character by character.
The article walks through setting up a Windows 2012 IIS environment, reverse‑engineering the product’s 3DES license check, analyzing web.config permissions, and uncovering multiple vulnerabilities—including SSRF, several SQL injections, and arbitrary file‑upload flaws—culminating in a full bypass of the EIS system’s authentication.
This article shares a collected list of 2023 Tencent backend developer compensation packages—showing total first‑year offers starting above 40 W RMB—followed by detailed explanations of interview questions covering Redis caching, MySQL transactions, hot‑key detection, SQL injection, HTTP/HTTPS differences, API timeout troubleshooting, and microservice migration strategies.
This guide outlines essential PHP security best practices—including timely updates, prepared statements, output escaping, safe file uploads, session hardening, server configuration, input validation, framework usage, and additional tools—to help developers protect web applications from prevalent threats.
The article shares iFlytek's recent campus salary packages, then dives into a detailed Java interview guide covering Redis data types, key expiration handling, thread safety, ThreadLocal usage, MySQL covering and composite indexes, slow‑query analysis, and SQL‑injection prevention techniques.
SQL injection lets attackers turn simple input fields into destructive commands that can delete or compromise databases; the article explains how string‑concatenated queries become vulnerable, demonstrates the attack step‑by‑step, and shows how parameterized queries via PreparedStatement and MyBatis’ #{ } syntax, plus defense‑in‑depth measures, effectively mitigate the risk.
The article dissects MyBatis' mechanisms for preventing SQL injection, compares the safe #{ } syntax with the risky ${ } syntax, explains the underlying PreparedStatement workflow, and provides concrete best‑practice guidelines and code examples for secure usage.
Even if your database appears functional and backed up, a single SQL injection can expose all data; this article reveals five often‑overlooked MySQL security configurations—disabling remote root login, turning off dangerous functions, enabling audit logs, enforcing SSL, and cleaning ghost accounts—to dramatically harden your database in under 30 minutes.
This article explains how using bound (parameterized) queries in SQL Server improves performance by enabling execution plan reuse, reducing compilation overhead and memory usage, while also preventing SQL injection, and discusses potential pitfalls like parameter sniffing and how to mitigate them with OPTION (RECOMPILE).
The article introduces Microstrategy, a US‑based BI firm with a large Hangzhou R&D center, outlines its generous 9‑5‑style work environment, details the interview stages—including written test, technical and non‑technical rounds—and provides concrete advice on self‑introduction, project presentation, system design, Canal‑MySQL sync, XXL‑Job video transcoding, Redis, MongoDB, SQL injection, Java exceptions, OOP concepts, and interview puzzles.
This guide walks through constructing a high‑performance, cost‑effective enterprise‑level Web Application Firewall using OpenResty, covering why OpenResty is ideal, core architecture, modules for request lifecycle management, IP control, rate limiting, SQL injection and XSS detection, intelligent CC protection, monitoring, performance tuning, deployment tips, real‑world case study, and future enhancements.
This article explains how a comprehensive, full‑stack security approach using Spring Security—covering request sanitization, parameterized queries, and built‑in authentication, authorization, CSRF and session safeguards—can dramatically reduce XSS and SQL injection vulnerabilities to near zero.
This guide walks you through Python's DB‑API, lists supported databases, shows how to install and use PyMySQL for basic CRUD operations, demonstrates retrieving auto‑increment IDs, prevents SQL injection, and explains thread‑safe connection pooling with DBUtils, including code examples for both locked and lock‑free scenarios.
This article walks through two real-world security flaws—a high‑risk SQL injection and a medium‑risk stored XSS—showing how the CodeBuddy AI assistant can automatically detect, analyze, and remediate them with prepared statements and CSP enhancements, while explaining the underlying concepts and best practices.
Python 3.14 adds the PEP 750 T‑string syntax to address security risks in existing string formatting methods like f‑strings, offering a template‑based approach that enables safer handling of user input, SQL queries, and HTML rendering.
The article outlines prevalent front‑end security threats such as XSS, SQL injection, CSRF, MITM, clickjacking, misconfiguration, and vulnerable dependencies, explains their underlying principles, and recommends practical mitigations including input validation, CSP, HTTPS/TLS, CSRF tokens, secure headers, regular audits, and dependency scanning.
This article examines essential security measures for PHP applications, covering protection against SQL injection, XSS, CSRF, unsafe file uploads, session fixation, weak passwords, error disclosure, and the importance of HTTPS, with practical code examples and configuration tips to build more resilient web services.
This article explains what network attacks are, outlines the most common attack types such as malware, DoS/DDoS, phishing, SQL injection and DNS tunneling, and provides practical prevention measures including regular updates, firewall configuration, VPN use, and security awareness training.
This article explains the fundamentals of SQL injection attacks, demonstrates step‑by‑step exploitation using the DVWA platform—including data extraction, login bypass, and injection point detection—and outlines practical prevention techniques such as input validation, regex filtering, and prepared statements.
This article explains essential techniques to protect PHP applications from SQL injection attacks, covering prepared statements, input validation, ORM usage, escaping, stored procedures, permission restrictions, web application firewalls, and logging, with practical code examples for PDO, MySQLi, and Eloquent.
This comprehensive guide explains why network security matters, describes common attack vectors such as SQL injection, XSS, CSRF, file‑upload flaws, DDoS, ARP spoofing, DNS hijacking, routing protocol weaknesses, and TCP/UDP issues, and provides practical prevention measures for each threat.
This article provides 10 detailed Python code examples demonstrating how to connect to, query, insert, update, delete, and manage MySQL databases with proper error handling and resource management.
This guide explains how to set up JDBC drivers, construct connection URLs, use PreparedStatement instead of Statement, iterate ResultSet safely, manage resources with try‑with‑resources, handle transactions, employ connection pools, and properly process SQLExceptions for robust Java database applications.
This article provides a comprehensive overview of web security, covering authentication, input validation, secure coding practices, SQL injection and XSS attack mechanisms, detection methods, defensive techniques, and best practices for secure file upload and download.
This article explains how Laravel’s built‑in features—such as Eloquent ORM, CSRF tokens, Blade auto‑escaping, the Hash facade, and the Encrypter service—help developers protect web applications against SQL injection, CSRF, XSS, insecure password storage, and data exposure.
This article explains how SQL injection attacks can compromise web applications and demonstrates how to securely handle user input in PHP by using the mysqli_real_escape_string function to escape special characters before constructing SQL queries, thereby protecting the database from malicious exploitation.
The article explains the practical reasons for adding the always‑true condition “WHERE 1=1” in SQL, covering its role in preventing syntax errors, facilitating dynamic query building, copying tables, and its historical performance impact on MySQL.
This article explains the principles, provides code examples, and outlines preventive measures for LDAP and SQL injection attacks in PHP, helping developers understand how these vulnerabilities work and how to secure their web applications through input validation, parameter binding, and access control.
This article explains the concept of SQL injection, demonstrates a vulnerable query example, and provides a step‑by‑step Spring Boot and MyBatis implementation—including table creation, Java controller, service, DAO, mapper, and configuration—to illustrate how proper parameter handling prevents injection attacks.
Learn how to leverage MyBatis-Plus's built-in CRUD capabilities, create custom SQL methods like SelectByErp, integrate them via a custom SqlInjector, and modify existing operations such as AlwaysUpdateSomeColumnById and UpdateById for sharding scenarios, enabling reusable and efficient data access across your backend.
This article outlines the most frequent security flaws found in PHP web applications—including SQL injection, XSS, CSRF, insecure file uploads, remote code execution, weak password storage, and session hijacking—and provides practical mitigation techniques for each.
This article presents practical Python examples for enhancing network security, covering symmetric and asymmetric encryption, hash functions, password hashing, SSL/TLS communication, SQL injection prevention, XSS mitigation, CSRF protection, and secure password storage to safeguard data and privacy.
This article explains what SQL injection is, demonstrates a vulnerable example, and presents four practical defenses for Java applications—including PreparedStatement, MyBatis #{} placeholders, request‑parameter filtering, and Nginx reverse‑proxy rules—complete with code snippets and configuration details.
The article explains PHP's addslashes() function, detailing its syntax, how it escapes specific characters, provides code examples, demonstrates its role in preventing SQL injection, and advises using stronger escaping methods such as mysqli_real_escape_string or PDO prepared statements.
The article explains why directly concatenating user input into SQL queries leads to injection vulnerabilities and demonstrates how to secure PHP database operations using input validation, escaping functions, and prepared statements with MySQLi and PDO, while comparing related sanitization functions.
SQL injection is a critical web security flaw where unsanitized user input can alter database queries, and this article explains its mechanics, demonstrates vulnerable Java code, and outlines four prevention methods—PreparedStatement, MyBatis #{}, request parameter filtering, and Nginx reverse‑proxy rules—complete with code examples.
This article introduces PHP security library functions such as htmlspecialchars(), htmlentities(), and mysqli_real_escape_string(), demonstrating with code examples how they filter and validate user input to prevent XSS and SQL injection attacks, while noting that additional security measures are still required.
This article explains why web applications need a Web Application Firewall, introduces ModSecurity as a WAF for Nginx, and provides step‑by‑step installation, configuration, custom rule creation, and service restart commands to defend against attacks such as SQL injection and XSS.
This article explains the concepts, classifications, and risks of XSS and SQL injection attacks, demonstrates how MyBatis and SpringBoot filters can be used to sanitize inputs and request bodies, and provides practical code examples for implementing robust web application security.
This article explains XSS attack types, SQL injection risks, and provides practical SpringBoot filter implementations with MyBatis prepared statements and custom deserializers to sanitize request parameters, JSON bodies, and prevent malicious script and database attacks.
This article explains how forged HTTP headers can lead to SQL injection, demonstrates PHP functions for obtaining client IPs, shows blind injection payloads for enumerating databases, tables, columns, and users, and provides practical sqlmap commands and code examples for exploiting and testing vulnerabilities.
This article explains how to identify MySQL injection points, determine the number of columns with ORDER BY, enumerate fields via UNION SELECT, leverage common MySQL functions, and exploit the load_file() function—including char() encoding, replace, substring, and INTO OUTFILE—to read or write files on the target system.
The article provides a detailed security analysis of the XiongHai CMS 1.0, describing its directory structure and exposing multiple vulnerabilities including file inclusion, SQL injection, XSS, and vertical privilege escalation, along with example exploit code.
This article provides an extensive overview of phpMyAdmin security weaknesses, detailing information‑gathering techniques, version detection, path discovery, multiple exploitation methods such as file writes, log manipulation, slow‑query abuse, user‑defined functions, MOF attacks, and step‑by‑step PoCs for numerous CVEs, all illustrated with concrete SQL and script examples.
This article walks through the most common MyBatis SQL injection patterns—like, IN, and ORDER BY—explains why they occur, and provides a step‑by‑step hands‑on methodology for locating, reproducing, and confirming the flaws in a real Java CMS project.
This guide walks through common MyBatis SQL injection patterns—like fuzzy queries, IN clauses, and ORDER BY misuse—showing how to locate vulnerable XML, trace the call chain, and confirm exploitation with a crafted request, providing practical steps for Java security auditors.
This article explains the fundamentals of SQL injection attacks, outlines their severe consequences, and provides a comprehensive set of prevention principles and practical measures—including parameterized queries, strong typing, input validation, and secure MyBatis configurations—to help developers safeguard backend applications and databases.
This article explains how SQL injection can exploit a Java Spring course‑selection system by concatenating user input into SQL statements, demonstrates various injection techniques such as always‑true conditions and UNION queries, and provides multiple defensive measures including prepared statements, type checking, permission restrictions, and request‑parameter filtering.
This article provides a comprehensive overview of essential information security technologies, covering network attacks such as SQL injection, XSS, CSRF, DDoS, DNS and TCP hijacking, system vulnerabilities like stack overflow and privilege escalation, and core cryptographic concepts including symmetric/asymmetric encryption, key exchange, hashing, encoding, and multi‑factor authentication.
This article explains how MyBatis' ${} and #{} placeholders differ in SQL generation, demonstrates their usage with code examples, analyzes the SQL injection risks of ${} versus the safety of #{} through prepared statements, and provides practical guidelines for choosing the appropriate placeholder in various scenarios.
This article details a step‑by‑step penetration testing process where the author captures network traffic from a mobile app, enumerates hidden API endpoints, exploits injection flaws to retrieve backend credentials, examines upload validation, and ultimately gains admin access while highlighting the challenges faced.
This article explains how MyBatis' ${} and #{} placeholders differ in syntax substitution and security, demonstrates their usage with DAO interfaces, Mapper XML, and JUnit tests, analyzes SQL injection risks, shows the underlying PreparedStatement handling, and provides practical guidelines for when to use each placeholder.
This article educates front‑end engineers about common web security threats such as XSS, CSRF, directory exposure, SQL injection, command injection, DDoS, and hijacking, and provides practical mitigation techniques and best‑practice principles to build more secure web applications.
This article introduces web security testing, explains why it is essential, describes common vulnerabilities such as weak passwords, XSS, CSRF, SQL injection, authorization bypass, and file upload issues, and offers practical prevention measures and testing guidelines for developers and testers.
This article explains the causes, impacts, and various techniques of SQL injection attacks in PHP applications, demonstrates vulnerable code examples, and provides practical mitigation measures such as input validation, error handling, character encoding considerations, and secure coding practices.
This article explains the principles behind SQL injection, common pitfalls in MyBatis and other ORM tools, and provides concrete safe coding patterns, configuration tips, and code examples to help developers eliminate injection vulnerabilities in their persistence layer.
This article demonstrates how to implement a safe batch‑update method for Laravel's Eloquent models that prevents SQL injection, provides the full PHP implementation, usage example, and the resulting SQL statement, highlighting the performance benefits over individual updates.
This guide explains common MyBatis SQL injection patterns—LIKE, IN, and ORDER BY—shows how to locate vulnerable $ placeholders in XML mappers, trace them through DAO and controller layers, and confirm exploitation with a crafted request, providing practical steps for secure Java web auditing.
This article explains how to identify and exploit MyBatis‑based SQL injection vulnerabilities by examining XML and annotation mappings, covering common pitfalls such as fuzzy queries, IN clauses, and ORDER BY, and provides a step‑by‑step practical analysis using a real open‑source CMS project.
This article explains how SQL injection can still occur in Java applications using MyBatis, describes the three typical vulnerable patterns (LIKE, IN, ORDER BY), and provides a step‑by‑step practical workflow—including code snippets and verification—to help beginners audit and remediate such issues.
MyBatis‑Plus enhances MyBatis by automatically injecting CRUD SQL via BaseMapper, using entity annotations and template methods to map classes to tables, eliminating repetitive manual SQL, supporting lambda queries, pagination, and performance tools, all with minimal intrusion and overhead.
This article presents practical secure coding guidelines—including input escaping, avoiding auto‑increment IDs, minimalist HTTP methods, least‑privilege design, mandatory HTTPS, strong encryption algorithms, and whitelist‑based execution—to help developers embed real‑time security into modern software.
This tutorial walks you through a complete web penetration test on the fictional site hack‑test.com, covering DNS enumeration, server fingerprinting, vulnerability scanning with Nikto and w3af, exploiting SQL injection via sqlmap, uploading a PHP webshell, gaining a reverse shell, and finally escalating to root privileges on a Linux server.
This article introduces the fundamentals of SQL injection, explains Sqlmap's five injection techniques, lists supported databases, shows installation methods, walks through essential commands and options, and provides practical examples for testing and exploiting vulnerable web applications.
A former Facebook engineer serving as Gab's CTO introduced a simple SQL injection flaw, which hackers exploited to steal data from 15,000 users, prompting a $500,000 ransom demand, code deletion, and a heated debate over CTO responsibilities and security best practices.
A former Facebook engineer, newly hired as CTO of the social platform Gab, introduced a simple SQL injection vulnerability by removing critical reject and filter calls, allowing hackers to steal 70 GB of user data, demand a $500,000 Bitcoin ransom, and expose the company's lax security practices.
An Apple iCloud account was denied and the user’s ID locked for six months because her surname “true” was mistakenly treated as a Boolean value, highlighting how unescaped input can trigger security mechanisms and the importance of proper string handling in software systems.
An Apple iCloud applicant named Rachel True was denied service and had her account locked for six months because the system mistakenly treated her surname "true" as a Boolean value, highlighting how improper input handling can trigger security defenses like SQL‑injection protection.
A recent data breach at the extremist platform Gab was traced to a senior engineer who removed critical SQL‑injection defenses, illustrating how a single CTO’s poor security decisions can jeopardize millions of user records and spark major political fallout.
A recent DDoSecrets leak revealed that Gab’s new CTO introduced a simple SQL injection flaw in the Rails codebase, allowing hackers to steal 70 GB of user data, prompting the CEO’s public apology, code deletions, and a stark reminder of the importance of secure coding practices.
This article introduces Python's DB-API for interacting with various databases, explains how to use PyMySQL and MySQLdb for MySQL operations, demonstrates basic CRUD examples, shows techniques to prevent SQL injection, and presents connection pooling solutions with DBUtils for multi‑threaded applications.
This article reviews Java persistence technologies, shows how raw string concatenation in JDBC, MyBatis, JPA/Hibernate and native SQL can lead to SQL injection, and provides concrete safe‑coding patterns such as PreparedStatement, #{ } bindings, named parameters, and dynamic‑SQL safeguards.
This article details Laiye Technology's end‑to‑end security strategy—including application hardening, password policies, brute‑force defenses, SQL injection, XSS and CSRF mitigations, privilege controls, secure file uploads, code‑review standards, and infrastructure vulnerability scanning—to protect sensitive data and AI‑driven robot platforms from a wide range of attacks.
The article describes how the Wukong Activity Platform’s data‑persistence layer uses Node.js as a BFF with MySQL, combines raw drivers, optional ORMs, and a custom lightweight Node‑MyBatis framework that offers dynamic SQL templating, built‑in injection protection, declarative transaction decorators, and automatic TypeScript type generation for full‑stack JavaScript development.
This article explains common web security threats—including XSS, SQL injection, CSRF, CC, DoS, and DDoS—detailing their mechanisms, potential impacts, and practical defense strategies such as input validation, token usage, Referer checks, and resource limiting to protect applications and servers.
This article explains how improper use of MyBatis in Java web applications can lead to SQL injection vulnerabilities, illustrates three typical injection scenarios with code examples, and provides a step‑by‑step practical workflow for discovering and confirming such flaws in a real CMS project.
This article walks through the typical ways MyBatis can introduce SQL injection—through misuse of # and $ in LIKE, IN, and ORDER BY clauses—provides correct code examples, and demonstrates a step‑by‑step reverse‑engineering workflow on an open‑source CMS to locate and confirm the vulnerability.
This article explains how improper use of MyBatis in Java web applications can lead to SQL injection vulnerabilities, illustrates three typical injection patterns with code examples, and provides a step‑by‑step practical methodology for locating and confirming such flaws in an open‑source CMS project.
This article explains common MyBatis SQL injection patterns such as fuzzy queries, improper use of the $ placeholder in IN clauses and ORDER BY statements, and provides a step‑by‑step methodology for locating, analyzing, and confirming these vulnerabilities in Java web applications.
This article examines the prevalence of SQL injection attacks, presenting Imperva’s recent statistics, common attack vectors, real-world examples, and practical defenses such as prepared statements, input sanitization, and web application firewalls, while also offering Python code illustrations of secure and insecure database queries.
This guide explains common MyBatis‑related SQL injection patterns such as fuzzy LIKE queries, improper IN clause handling, and unsafe ORDER BY usage, and walks through a practical step‑by‑step analysis of a real Java CMS project to locate and confirm the vulnerabilities.
This article explains the fundamentals of web security, outlines typical web architecture, classifies penetration testing approaches, enumerates common vulnerabilities such as SQL injection, XSS, file upload and deserialization, and discusses how attackers combine these flaws to launch advanced exploits.
This article explains what SQL injection is, demonstrates a SQLite example that injects malicious code to drop a table, and then shows how to prevent such attacks using parameterized queries, input validation, and secure coding practices.
This article explains Java persistence technologies—including JDBC, MyBatis, JPA, and Hibernate—highlights common patterns that cause SQL injection, and provides concrete techniques such as parameterized PreparedStatement, MyBatis #{ } binding, dynamic SQL whitelisting, and proper JPA/Hibernate query parameter usage to securely handle user input.
This article demonstrates how to perform sophisticated MyBatis‑Plus queries—such as date filtering, manager name prefix matching, sub‑queries, INNER JOIN, dynamic SQL with apply, and inSql—while highlighting potential SQL‑injection risks and providing complete Java test code examples.
This article explains what SQL injection is, demonstrates a vulnerable SQLite example that drops a table using malicious input, shows why the attack works, and provides practical prevention techniques such as using parameterized queries, input validation, unpredictable table names, and regular backups to secure databases.
This article explains several typical web security threats—including XSS, SQL injection, request forgery, CSRF, hotlink protection, upload/download vulnerabilities, and whitelist/blacklist misuse—while providing concrete Java code examples and practical defense techniques to mitigate each risk.
This article explains the differences between functional and security testing, introduces common web vulnerabilities such as SQL injection, cross‑site scripting (XSS), and cross‑site request forgery (CSRF), provides concrete code examples, and offers practical tips for detecting and preventing these issues.
The article outlines several SQL injection vulnerabilities discovered in various Sequelize ORM versions, explains the underlying causes related to improper JSON path key handling for MySQL, MariaDB, Postgres, and SQLite, provides reproduction screenshots, and strongly advises upgrading to patched releases.
This article explains the dangers of XSS and SQL injection attacks, demonstrates realistic attack scenarios, and provides a comprehensive backend solution using Spring AOP, HttpMessageConverter, custom Servlet Filters, request wrappers, and ESAPI to sanitize inputs and protect web applications.
This article explains the fundamentals of injection attacks, focuses on SQL injection as part of the OWASP Top 10, classifies injection vectors by data type, submission method, and impact, and provides concrete examples and defensive measures to protect web applications.
This article explains the difference between MyBatis #{ } and ${ } placeholders, how the misuse of ${ } can cause SQL injection and incorrect IN‑clause queries, and demonstrates a safe solution using the foreach tag to handle list parameters.
This article explains the difference between MyBatis #{ } and ${ } placeholders, why using ${ } can cause SQL injection and IN‑clause errors, and how to safely resolve the issue with proper parameter handling and the foreach tag.
This article explains why database injection remains a critical security threat, illustrates how attackers exploit vulnerable web applications using manual techniques and automated tools such as sqlmap, and provides comprehensive defensive measures spanning secure coding, database hardening, web‑server configuration, WAF deployment, and log‑analysis to protect sensitive data.
This article introduces the most common web application vulnerabilities—including SQL injection, XSS, CSRF, file upload, file inclusion, clickjacking, and URL redirect—explaining how attackers exploit them and the potential impacts on websites and their users.
The article explains how attackers compromise MySQL servers, create a WARNING table with ransom instructions demanding Bitcoin, and provides concrete SQL examples and four practical defense measures—including strong authentication, disabling public access, regular backups, and application hardening—to protect databases.
This article details a high‑severity SQL injection vulnerability in Zabbix’s jsrpc.php profileIdx2 parameter that allows unauthenticated attackers to gain system privileges, outlines its impact, demonstrates testing methods with screenshots, analyzes the vulnerable code paths, and recommends mitigation steps such as upgrading, patching, and disabling the guest account.
