From b99eff3c906d62a6e91028d9663608e5ddaf0bf4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=85=83=E7=82=9C?= Date: Mon, 20 Feb 2017 14:10:24 +0800 Subject: [PATCH] Fix code typo --- de/09.4.md | 2 +- en/09.4.md | 2 +- ja/09.4.md | 2 +- pt-br/09.4.md | 2 +- zh/09.4.md | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/de/09.4.md b/de/09.4.md index d8823175..a7ef0f4b 100644 --- a/de/09.4.md +++ b/de/09.4.md @@ -32,7 +32,7 @@ If the user inputs a user name or password as: Then our SQL becomes the following: - SELECT * FROM user WHERE username='myuser' or 'foo'=='foo' --'' AND password='xxx' + SELECT * FROM user WHERE username='myuser' or 'foo' = 'foo' --'' AND password='xxx' In SQL, anything after `--` is a comment. Thus, inserting the `--` as the attacker did above alters the query in a fatal way, allowing an attacker to successfully login as a user without a valid password. diff --git a/en/09.4.md b/en/09.4.md index d6bbe9bd..dd1ec4cf 100644 --- a/en/09.4.md +++ b/en/09.4.md @@ -32,7 +32,7 @@ If the user inputs a user name or password as: Then our SQL becomes the following: - SELECT * FROM user WHERE username='myuser' or 'foo'=='foo' --'' AND password='xxx' + SELECT * FROM user WHERE username='myuser' or 'foo' = 'foo' --'' AND password='xxx' In SQL, anything after `--` is a comment. Thus, inserting the `--` as the attacker did above alters the query in a fatal way, allowing an attacker to successfully login as a user without a valid password. diff --git a/ja/09.4.md b/ja/09.4.md index a6e24337..1930899a 100644 --- a/ja/09.4.md +++ b/ja/09.4.md @@ -28,7 +28,7 @@ SQLインジェクションが発生する原因はプログラムがユーザ 我々のSQLは以下のようになります: - SELECT * FROM user WHERE username='myuser' or 'foo'=='foo' --'' AND password='xxx' + SELECT * FROM user WHERE username='myuser' or 'foo' = 'foo' --'' AND password='xxx' SQLでは`--`はコメントを表します。そのため、検索クエリは途中で中断されます。攻撃者は合法的なユーザ名とパスワードを知らなくてもログインに成功します。 diff --git a/pt-br/09.4.md b/pt-br/09.4.md index d8823175..a7ef0f4b 100644 --- a/pt-br/09.4.md +++ b/pt-br/09.4.md @@ -32,7 +32,7 @@ If the user inputs a user name or password as: Then our SQL becomes the following: - SELECT * FROM user WHERE username='myuser' or 'foo'=='foo' --'' AND password='xxx' + SELECT * FROM user WHERE username='myuser' or 'foo' = 'foo' --'' AND password='xxx' In SQL, anything after `--` is a comment. Thus, inserting the `--` as the attacker did above alters the query in a fatal way, allowing an attacker to successfully login as a user without a valid password. diff --git a/zh/09.4.md b/zh/09.4.md index d576a168..4050c750 100644 --- a/zh/09.4.md +++ b/zh/09.4.md @@ -35,7 +35,7 @@ SQL注入攻击(SQL Injection),简称注入攻击,是Web开发中最常 那么我们的SQL变成了如下所示: ```Go - SELECT * FROM user WHERE username='myuser' or 'foo'=='foo' --'' AND password='xxx' + SELECT * FROM user WHERE username='myuser' or 'foo' = 'foo' --'' AND password='xxx' ``` 在SQL里面`--`是注释标记,所以查询语句会在此中断。这就让攻击者在不知道任何合法用户名和密码的情况下成功登录了。