SQL Injection \uacf5\uaca9\uc740 \uc545\uc758\uc801\uc778 SQL \ucf54\ub4dc\ub97c \ub370\uc774\ud130\ubca0\uc774\uc2a4 \ucffc\ub9ac\uc5d0 \uc0bd\uc785\ud558\uc5ec \ub370\uc774\ud130\ubca0\uc774\uc2a4\ub97c \uc870\uc791\ud558\uac70\ub098 \ubbfc\uac10\ud55c \uc815\ubcf4\ub97c \ud0c8\ucde8\ud558\ub294 \uacf5\uaca9\uc785\ub2c8\ub2e4. SQL Injection\uc744 \ubc29\uc9c0\ud558\ub294 \uc8fc\uc694 \ubc29\ubc95\uc740 \uc544\ub798\uc640 \uac19\uc2b5\ub2c8\ub2e4:<\/p>\n\n\n\n
\uc55e\uc11c \uc81c\uacf5\ud55c \uc608\uc81c\uc5d0\uc11c\ucc98\ub7fc \ud30c\ub77c\ubbf8\ud130\ud654\ub41c \ucffc\ub9ac\ub97c \uc0ac\uc6a9\ud558\uba74, SQL \uba85\ub839\ubb38\uc5d0\uc11c \ub370\uc774\ud130\ub97c \uba85\ub839\uc5b4\uc640 \ubd84\ub9ac\ud558\uc5ec SQL Injection \uacf5\uaca9\uc744 \ub9c9\uc744 \uc218 \uc788\uc2b5\ub2c8\ub2e4. \uc0ac\uc6a9\uc790 \uc785\ub825\uc774 SQL \ucf54\ub4dc\uc758 \uc77c\ubd80\ub85c \uc9c1\uc811 \uc870\ub9bd\ub418\uc9c0 \uc54a\ub3c4\ub85d \ud558\uba70, \uc785\ub825 \ub370\uc774\ud130\ub294 \ub370\uc774\ud130\ubca0\uc774\uc2a4\uc5d0 \uc804\ub2ec\ub418\uae30 \uc804\uc5d0 \ud0c0\uc785\uacfc \ud615\uc2dd\uc774 \uc801\uc808\ud788 \ucc98\ub9ac\ub429\ub2c8\ub2e4.<\/p>\n\n\n\n
public static string GetQuery(string SERVERTYPE, string ID)\n{\n string connectionString = \"your_connection_string_here\"; \/\/ \uc5f0\uacb0 \ubb38\uc790\uc5f4 \uc815\uc758\n\n string query = \"SELECT SERVERTYPE, ID, SERVICE, NUM, STATUS, PATH, FILENAME, NOTE \" +\n \"FROM BasicCode.LOG_FILE \" +\n \"WHERE SERVERTYPE = @SERVERTYPE AND ID = @ID\";\n\n try\n {\n using (SqlConnection conn = new SqlConnection(connectionString))\n using (SqlCommand cmd = new SqlCommand(query, conn))\n {\n conn.Open();\n\n \/\/ SQL \ud30c\ub77c\ubbf8\ud130 \uc124\uc815\n cmd.Parameters.AddWithValue(\"@SERVERTYPE\", TktNo);\n cmd.Parameters.AddWithValue(\"@ID\", ID);\n\n using (SqlDataAdapter sqlDataAdapter = new SqlDataAdapter(cmd))\n {\n DataSet payment = new DataSet();\n sqlDataAdapter.Fill(payment, \"DATAS\");\n\n XmlDocument xml = new XmlDocument();\n xml.PreserveWhitespace = true;\n xml.LoadXml(payment.GetXml());\n\n return xml.OuterXml;\n }\n }\n }\n catch (Exception)\n {\n \/\/ \ub2e8\uc21c\ud788 \uc608\uc678\ub97c \ub2e4\uc2dc \ub358\uc838 \uc2a4\ud0dd \ucd94\uc801 \uc720\uc9c0\n throw;\n }\n}<\/pre><\/div>\n\n\n\n2. \uc2a4\ud1a0\uc5b4\ub4dc \ud504\ub85c\uc2dc\uc800 \uc0ac\uc6a9<\/h3>\n\n\n\n
\uc2a4\ud1a0\uc5b4\ub4dc \ud504\ub85c\uc2dc\uc800 \uc5ed\uc2dc SQL Injection\uc744 \ubc29\uc9c0\ud560 \uc218 \uc788\ub294 \ubc29\ubc95 \uc911 \ud558\ub098\uc785\ub2c8\ub2e4. \uc2a4\ud1a0\uc5b4\ub4dc \ud504\ub85c\uc2dc\uc800\ub294 SQL \ucf54\ub4dc\ub97c \ub370\uc774\ud130\ubca0\uc774\uc2a4\uc5d0 \ubbf8\ub9ac \uc800\uc7a5\ud558\uace0, \uc560\ud50c\ub9ac\ucf00\uc774\uc158\uc5d0\uc11c\ub294 \ud574\ub2f9 \uc2a4\ud1a0\uc5b4\ub4dc \ud504\ub85c\uc2dc\uc800\ub97c \ud638\ucd9c\ud558\uae30\ub9cc \ud558\ubbc0\ub85c, \uc2e4\ud589\ud560 SQL \ucf54\ub4dc\ub97c \uc678\ubd80\uc5d0\uc11c \uc8fc\uc785\ud558\uae30 \uc5b4\ub835\uc2b5\ub2c8\ub2e4.<\/p>\n\n\n\n
\uc608\uc81c<\/h3>\n\n\n\n
C#\uc758 using \ubb38\uc740 IDisposable \uc778\ud130\ud398\uc774\uc2a4\ub97c \uad6c\ud604\ud55c \uac1d\uccb4\ub97c \uc0ac\uc6a9\ud560 \ub54c \ub9e4\uc6b0 \uc720\uc6a9\ud569\ub2c8\ub2e4. SqlConnection, SqlCommand, SqlDataAdapter \ub4f1\uc758 .NET \ub370\uc774\ud130 \uc561\uc138\uc2a4 \uac1d\uccb4\ub294 IDisposable\uc744 \uad6c\ud604\ud558\uace0 \uc788\uc5b4\uc11c, using \ube14\ub85d\uc774 \ub05d\ub0a0 \ub54c \uc790\ub3d9\uc73c\ub85c Dispose \uba54\uc11c\ub4dc\uac00 \ud638\ucd9c\ub429\ub2c8\ub2e4. Dispose \uba54\uc11c\ub4dc\ub294 \ub0b4\ubd80\uc801\uc73c\ub85c Close \uba54\uc11c\ub4dc\ub97c \ud638\ucd9c\ud558\uc5ec \ub370\uc774\ud130\ubca0\uc774\uc2a4 \uc5f0\uacb0\uc744 \ub2eb\uc2b5\ub2c8\ub2e4.<\/p>\n\n\n\n
\ub530\ub77c\uc11c, using \ubb38\uc744 \uc0ac\uc6a9\ud558\uba74 \uba85\uc2dc\uc801\uc73c\ub85c Close()\ub97c \ud638\ucd9c\ud558\uc9c0 \uc54a\uc544\ub3c4 \uc5f0\uacb0\uc774 \uc548\uc804\ud558\uac8c \uc885\ub8cc\ub429\ub2c8\ub2e4. \uc774\ub294 \ucf54\ub4dc\ub97c \ub354 \uac04\uacb0\ud558\uace0 \uc548\uc804\ud558\uac8c \ub9cc\ub4e4\uc5b4\uc8fc\uba70, \uc790\uc6d0 \ud574\uc81c\ub97c \uc790\ub3d9\uc73c\ub85c \uad00\ub9ac\ud574\uc8fc\uae30 \ub54c\ubb38\uc5d0 \ub9ac\uc18c\uc2a4 \ub204\uc218\ub97c \ubc29\uc9c0\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4.<\/p>\n\n\n\n
\uac1c\uc120\ub41c \ucf54\ub4dc\uc5d0\uc11c\ub294 using \ube14\ub85d\uc774 \uc885\ub8cc\ub418\uba74 \uc790\ub3d9\uc73c\ub85c \uc5f0\uacb0\uc774 \ub2eb\ud788\uae30 \ub54c\ubb38\uc5d0 sqlConnection.Close()\ub97c \ud638\ucd9c\ud560 \ud544\uc694\uac00 \uc5c6\uc2b5\ub2c8\ub2e4. \uc774\ub294 \ucf54\ub4dc\ub97c \ub354\uc6b1 \uac04\uacb0\ud558\uace0 \uc624\ub958\ub97c \uc904\uc77c \uc218 \uc788\ub294 \uc88b\uc740 \ubc29\ubc95\uc785\ub2c8\ub2e4.<\/p>\n\n\n\n
\npublic static string GetQuery(string ID, string PASSWD)\n{\n string connectionString = \"your_connection_string_here\"; \/\/ \uc5f0\uacb0 \ubb38\uc790\uc5f4\uc744 \uc5ec\uae30\uc5d0 \uba85\uc2dc\uc801\uc73c\ub85c \uc120\uc5b8\n\n try\n {\n using (SqlConnection sqlConnection = new SqlConnection(connectionString)) \/\/ \uc5f0\uacb0 \uad00\ub9ac\n using (SqlDataAdapter sqlDataAdapter = new SqlDataAdapter(\"GetQuerySP\", sqlConnection))\n {\n sqlDataAdapter.SelectCommand.CommandType = CommandType.StoredProcedure;\n\n \/\/ PNR \uc8fc\uc18c \ud30c\ub77c\ubbf8\ud130 \uc124\uc815\n SqlParameter paramID = new SqlParameter(\"@ID\", SqlDbType.VarChar, 6);\n paramID.Value = ID;\n sqlDataAdapter.SelectCommand.Parameters.Add(paramID);\n\n \/\/ \ud2f0\ucf13 \ubc88\ud638 \ud30c\ub77c\ubbf8\ud130 \uc124\uc815\n SqlParameter paramPASSWD = new SqlParameter(\"@PASSWD\", SqlDbType.VarChar, 10);\n paramPASSWD.Value = PASSWD;\n sqlDataAdapter.SelectCommand.Parameters.Add(paramPASSWD);\n\n DataSet payment = new DataSet();\n sqlDataAdapter.Fill(payment, \"DATAS\");\n\n XmlDocument xml = new XmlDocument();\n xml.PreserveWhitespace = true;\n xml.LoadXml(payment.GetXml());\n\n return xml.OuterXml;\n }\n }\n catch (Exception) \/\/ \uc608\uc678\uac00 \ubc1c\uc0dd\ud588\uc744 \uacbd\uc6b0 \ud074\ub77c\uc774\uc5b8\ud2b8\uc5d0\uac8c \uc608\uc678\ub97c \ub358\uc9c0\ub418, \uc2a4\ud0dd \ucd94\uc801 \uc720\uc9c0\n {\n throw;\n }\n}<\/pre><\/div>\n\n\n\n3. ORM (Object-Relational Mapping) \uc0ac\uc6a9<\/h3>\n\n\n\n
ORM \ud504\ub808\uc784\uc6cc\ud06c\ub294 SQL \ucffc\ub9ac\ub97c \uc9c1\uc811 \uc791\uc131\ud558\ub294 \ub300\uc2e0 \uac1d\uccb4 \uc9c0\ud5a5 \ubc29\uc2dd\uc73c\ub85c \ub370\uc774\ud130\ubca0\uc774\uc2a4 \uc791\uc5c5\uc744 \uc218\ud589\ud560 \uc218 \uc788\uac8c \ud574\uc8fc\uba70, \ub300\ubd80\ubd84\uc758 ORM \uae30\uc220\uc740 \ub0b4\ubd80\uc801\uc73c\ub85c \ud30c\ub77c\ubbf8\ud130\ud654\ub41c \ucffc\ub9ac\ub97c \uc0ac\uc6a9\ud569\ub2c8\ub2e4. \uc608\ub97c \ub4e4\uc5b4 Entity Framework\ub098 NHibernate \uac19\uc740 ORM\uc744 \uc0ac\uc6a9\ud558\uba74 SQL Injection \uacf5\uaca9\uc758 \uc704\ud5d8\uc744 \ud06c\uac8c \uc904\uc77c \uc218 \uc788\uc2b5\ub2c8\ub2e4.<\/p>\n\n\n\n
4. \uc0ac\uc6a9\uc790 \uc785\ub825 \uac80\uc99d<\/h3>\n\n\n\n
\uc0ac\uc6a9\uc790 \uc785\ub825\uc744 \ubc1b\ub294 \ubaa8\ub4e0 \ubd80\ubd84\uc5d0\uc11c \uc785\ub825 \ub370\uc774\ud130\ub97c \uc801\uc808\ud788 \uac80\uc99d\ud574\uc57c \ud569\ub2c8\ub2e4. \uc774\ub294 SQL Injection\ubfd0\ub9cc \uc544\ub2c8\ub77c \ub2e4\ub978 \ud615\ud0dc\uc758 \uacf5\uaca9\uc744 \ubc29\uc9c0\ud558\ub294 \ub370\ub3c4 \uc911\uc694\ud569\ub2c8\ub2e4. \uc785\ub825 \ub370\uc774\ud130\uc5d0 \ub300\ud55c \ud0c0\uc785, \uae38\uc774, \ud615\uc2dd \ub4f1\uc744 \uac80\uc99d\ud574\uc57c \ud558\uba70, \uc608\uc0c1\uce58 \ubabb\ud55c \ubb38\uc790\ub098 SQL \ud0a4\uc6cc\ub4dc\uac00 \ud3ec\ud568\ub418\uc5b4 \uc788\uc9c0 \uc54a\uc740\uc9c0 \ud655\uc778\ud574\uc57c \ud569\ub2c8\ub2e4.<\/p>\n\n\n\n
5. \ucd5c\uc18c \uad8c\ud55c \uc6d0\uce59 \uc801\uc6a9<\/h3>\n\n\n\n
\ub370\uc774\ud130\ubca0\uc774\uc2a4 \uc811\uadfc \uad8c\ud55c\uc744 \ucd5c\uc18c\ud654\ud558\ub294 \uac83\ub3c4 \uc911\uc694\ud569\ub2c8\ub2e4. \uac01 \uc560\ud50c\ub9ac\ucf00\uc774\uc158 \ub610\ub294 \uc0ac\uc6a9\uc790\uac00 \ud544\uc694\ud55c \ucd5c\uc18c\ud55c\uc758 \ub370\uc774\ud130\uc5d0\ub9cc \uc811\uadfc\ud560 \uc218 \uc788\ub3c4\ub85d \uad8c\ud55c\uc744 \uc81c\ud55c\ud574\uc57c \ud569\ub2c8\ub2e4. \uc608\ub97c \ub4e4\uc5b4, \uc77c\ubd80 \ub370\uc774\ud130\ub97c \uc77d\uae30\ub9cc \ud544\uc694\ud55c \uc11c\ube44\uc2a4\uc5d0\uac8c\ub294 \ub370\uc774\ud130 \uc0bd\uc785, \uc218\uc815, \uc0ad\uc81c \uad8c\ud55c\uc744 \ubd80\uc5ec\ud558\uc9c0 \uc54a\ub294 \uac83\uc774 \uc88b\uc2b5\ub2c8\ub2e4.<\/p>\n\n\n\n
\uc774\ub7ec\ud55c \ubc29\ubc95\ub4e4\uc744 \ud1b5\ud569\uc801\uc73c\ub85c \uc0ac\uc6a9\ud568\uc73c\ub85c\uc368 SQL Injection \uacf5\uaca9\uc744 \ud6a8\uacfc\uc801\uc73c\ub85c \ub9c9\uc744 \uc218 \uc788\uc2b5\ub2c8\ub2e4.<\/p>\n\n\n\n
\ud30c\ub77c\ubbf8\ud130\ud654\ub41c \ucffc\ub9ac\ub97c \uc0ac\uc6a9\ud558\uba74 SQL Injection \uacf5\uaca9\uc744 \ubc29\uc9c0\ud560 \uc218 \uc788\ub294 \uc774\uc720\ub294 \ub370\uc774\ud130\uc640 \ucf54\ub4dc\uac00 \uba85\ud655\ud558\uac8c \ubd84\ub9ac\ub418\uae30 \ub54c\ubb38\uc785\ub2c8\ub2e4. \uc774 \uc811\uadfc\ubc95\uc5d0\uc11c\ub294 \uc0ac\uc6a9\uc790 \uc785\ub825\uc774 SQL \uba85\ub839\uc758 \uc77c\ubd80\ub85c \uc9c1\uc811 \uc870\ud569\ub418\uc9c0 \uc54a\uace0, \ub300\uc2e0\uc5d0 \ub9e4\uac1c\ubcc0\uc218(placeholder)\ub97c \uc0ac\uc6a9\ud558\uc5ec SQL \uba85\ub839\uc744 \ubbf8\ub9ac \ucef4\ud30c\uc77c\ud558\uace0, \uc2e4\ud589 \uc2dc\uc810\uc5d0\ub9cc \uc0ac\uc6a9\uc790 \ub370\uc774\ud130\ub97c SQL \uba85\ub839\uc5d0 \ubc14\uc778\ub529\ud569\ub2c8\ub2e4. \uc774 \uacfc\uc815\uc744 \uc790\uc138\ud788 \uc124\uba85\ud558\uba74 \ub2e4\uc74c\uacfc \uac19\uc2b5\ub2c8\ub2e4:<\/p>\n\n\n\n
1. \ucffc\ub9ac \ubd84\ub9ac<\/h3>\n\n\n\n
\ud30c\ub77c\ubbf8\ud130\ud654\ub41c \ucffc\ub9ac\ub294 SQL \ucf54\ub4dc\uc640 \uc0ac\uc6a9\uc790 \uc785\ub825\uc744 \ubd84\ub9ac\ud569\ub2c8\ub2e4. SQL \uba85\ub839\ubb38\uc740 \ud50c\ub808\uc774\uc2a4\ud640\ub354(\uc608: @Username, @Password)\ub97c \ud3ec\ud568\ud558\uace0 \uc788\uc73c\uba70, \uc774\ub294 \ud6c4\uc5d0 \uc2e4\ud589 \ub2e8\uacc4\uc5d0\uc11c \uac12\uc774 \ud560\ub2f9\ub429\ub2c8\ub2e4. \uc774 \ubc29\uc2dd\uc73c\ub85c, \uc0ac\uc6a9\uc790 \uc785\ub825\uc774 SQL \uba85\ub839\uc758 \uc77c\ubd80\uac00 \ub418\uc9c0 \uc54a\uace0 \ub2e8\uc21c\ud55c \uac12\uc73c\ub85c \ucc98\ub9ac\ub429\ub2c8\ub2e4.<\/p>\n\n\n\n
2. \ub370\uc774\ud130 \ud0c0\uc785 \uac80\uc99d<\/h3>\n\n\n\n
\ub370\uc774\ud130\ubca0\uc774\uc2a4 \uc5d4\uc9c4\uc740 \ub9e4\uac1c\ubcc0\uc218\ub85c \ubc1b\uc740 \ub370\uc774\ud130\uc758 \ud0c0\uc785\uc744 \uc790\ub3d9\uc73c\ub85c \uac80\uc99d\ud569\ub2c8\ub2e4. \uc608\ub97c \ub4e4\uc5b4, \uc22b\uc790\ud615 \ud544\ub4dc\uc5d0 \ubb38\uc790\uc5f4\uc774 \uc804\ub2ec\ub418\ub294 \uacbd\uc6b0 \uc790\ub3d9\uc73c\ub85c \uc624\ub958\ub97c \ubc18\ud658\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4. \uc774\ub294 SQL \uba85\ub839\uc774 \uc608\uc0c1\uce58 \ubabb\ud55c \ubc29\uc2dd\uc73c\ub85c \ubcc0\ud615\ub418\ub294 \uac83\uc744 \ubc29\uc9c0\ud569\ub2c8\ub2e4.<\/p>\n\n\n\n
3. SQL \uba85\ub839\uc758 \ubbf8\ub9ac \ucef4\ud30c\uc77c<\/h3>\n\n\n\n
\ud30c\ub77c\ubbf8\ud130\ud654\ub41c \ucffc\ub9ac\ub294 \ub370\uc774\ud130\ubca0\uc774\uc2a4\uc5d0 \uc758\ud574 \ubbf8\ub9ac \ucef4\ud30c\uc77c\ub420 \uc218 \uc788\uc73c\uba70, \uc774\ub807\uac8c \ud568\uc73c\ub85c\uc368 SQL \uba85\ub839\uc758 \uad6c\uc870\uac00 \uace0\uc815\ub429\ub2c8\ub2e4. \uc0ac\uc6a9\uc790 \uc785\ub825\uc740 \uc624\ub85c\uc9c0 \ub370\uc774\ud130\ub85c\ub9cc \ucde8\uae09\ub418\uba70, SQL \uba85\ub839\uc758 \uc77c\ubd80\ub85c\uc11c \ud574\uc11d\ub420 \uc218 \uc5c6\uc2b5\ub2c8\ub2e4. \uc774\ub294 \uc545\uc758\uc801\uc778 SQL \ucf54\ub4dc\uac00 \ucffc\ub9ac\uc5d0 \uc0bd\uc785\ub418\uc5b4 \uc2e4\ud589\ub418\ub294 \uac83\uc744 \ub9c9\uc2b5\ub2c8\ub2e4.<\/p>\n\n\n\n
4. \ud2b9\uc218 \ubb38\uc790\uc758 \uc790\ub3d9 \uc774\uc2a4\ucf00\uc774\ud551<\/h3>\n\n\n\n
\ub9ce\uc740 \ub370\uc774\ud130\ubca0\uc774\uc2a4 \ub4dc\ub77c\uc774\ubc84\uc640 \uc778\ud130\ud398\uc774\uc2a4\ub294 \ub9e4\uac1c\ubcc0\uc218\ud654\ub41c \ucffc\ub9ac\uc5d0\uc11c \uc790\ub3d9\uc73c\ub85c \ud2b9\uc218 \ubb38\uc790\ub97c \uc774\uc2a4\ucf00\uc774\ud504 \ucc98\ub9ac\ud569\ub2c8\ub2e4. \uc774\ub294 \uc0ac\uc6a9\uc790 \uc785\ub825\uc5d0\uc11c SQL \uba85\ub839\uc744 \uc870\uc791\ud560 \uc218 \uc788\ub294 \ud2b9\uc218 \ubb38\uc790(\uc608: \uc791\uc740\ub530\uc634\ud45c, \uc138\ubbf8\ucf5c\ub860 \ub4f1)\uac00 SQL \ucf54\ub4dc\uc758 \uc77c\ubd80\ub85c \ud574\uc11d\ub418\ub294 \uac83\uc744 \ubc29\uc9c0\ud569\ub2c8\ub2e4.<\/p>\n\n\n\n
\uc608\uc2dc<\/h3>\n\n\n\n\/\/ \uc548\uc804\ud558\uc9c0 \uc54a\uc740 \ubc29\ubc95: \uc0ac\uc6a9\uc790 \uc785\ub825\uc744 \uc9c1\uc811 \ucffc\ub9ac\uc5d0 \uc0bd\uc785\nstring unsafeQuery = \"SELECT * FROM users WHERE username = '\" + userInput + \"'\";\n\n\/\/ \ud30c\ub77c\ubbf8\ud130\ud654\ub41c \ucffc\ub9ac \uc0ac\uc6a9: \uc0ac\uc6a9\uc790 \uc785\ub825\uc744 \ub9e4\uac1c\ubcc0\uc218\ub85c \ucc98\ub9ac\nstring safeQuery = \"SELECT * FROM users WHERE username = @Username\";\nSqlCommand cmd = new SqlCommand(safeQuery, connection);\ncmd.Parameters.AddWithValue(\"@Username\", userInput); \/\/ \uc0ac\uc6a9\uc790 \uc785\ub825\uc740 \uc5ec\uae30\uc5d0\uc11c \uc548\uc804\ud558\uac8c \ucc98\ub9ac\ub429\ub2c8\ub2e4.\n<\/pre><\/div>\n\n\n\n\ud30c\ub77c\ubbf8\ud130\ud654\ub41c \ucffc\ub9ac\ub97c \uc0ac\uc6a9\ud558\uba74 SQL Injection \uacf5\uaca9\uc758 \uac00\ub2a5\uc131\uc744 \uc0c1\ub2f9\ud788 \uc904\uc77c \uc218 \uc788\uc73c\uba70, \uc774\ub294 \ud604\ub300 \uc6f9 \uc560\ud50c\ub9ac\ucf00\uc774\uc158\uc5d0\uc11c \uae30\ubcf8\uc801\uc73c\ub85c \ucc44\ud0dd\ub418\uc5b4\uc57c \ud558\ub294 \ubcf4\uc548 \uad00\ud589\uc785\ub2c8\ub2e4.<\/p>\n\n\n\n
1=1 \ub85c \uc77c\ub54c \ud588\uc744\ub54c \uc65c SQL Injection \ubc1c\uc0dd\ud558\ub294\uac00 ?<\/h3>\n\n\n\n
<\/p>\n\n\n\n
SQL Injection \uacf5\uaca9\uc774 \ubc1c\uc0dd\ud558\ub294 \uc8fc\ub41c \uc6d0\uc778\uc740 \uc560\ud50c\ub9ac\ucf00\uc774\uc158\uc758 \uc0ac\uc6a9\uc790 \uc785\ub825\uc744 \uc801\uc808\ud788 \uac80\uc99d\ud558\uac70\ub098 \uc0b0\ud0c4\ud654\ud558\uc9c0 \uc54a\uc544, \uacf5\uaca9\uc790\uac00 \uc560\ud50c\ub9ac\ucf00\uc774\uc158\uc744 \ud1b5\ud574 SQL \ucffc\ub9ac\ub97c \uc870\uc791\ud560 \uc218 \uc788\uac8c \ub418\uae30 \ub54c\ubb38\uc785\ub2c8\ub2e4. “1=1″\uc740 SQL\uc5d0\uc11c \ud56d\uc0c1 \ucc38\uc774 \ub418\ub294 \uc870\uac74\uc785\ub2c8\ub2e4. \uacf5\uaca9\uc790\uac00 \uc774 \uc870\uac74\uc744 \ucffc\ub9ac\uc758 \ub17c\ub9ac\uc801 \ubd80\ubd84\uc5d0 \uc0bd\uc785\ud558\uba74, \uc758\ub3c4\uce58 \uc54a\uc740 \ubc29\uc2dd\uc73c\ub85c \ucffc\ub9ac\uc758 \ud589\ub3d9\uc744 \ubcc0\uacbd\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4.<\/p>\n\n\n\n
\uc608\uc2dc\ub97c \ud1b5\ud55c \uc124\uba85<\/h3>\n\n\n\n
\uc608\ub97c \ub4e4\uc5b4, \uc6f9 \uc560\ud50c\ub9ac\ucf00\uc774\uc158\uc5d0\uc11c \uc0ac\uc6a9\uc790 \uc778\uc99d\uc744 \ub2e4\uc74c\uacfc \uac19\uc740 SQL \ucffc\ub9ac\ub85c \ucc98\ub9ac\ud55c\ub2e4\uace0 \uac00\uc815\ud574 \ubcf4\uaca0\uc2b5\ub2c8\ub2e4:<\/p>\n\n\n\n
SELECT * FROM users WHERE username = '\uc0ac\uc6a9\uc790 \uc785\ub825' AND password = '\uc0ac\uc6a9\uc790 \uc785\ub825'\n<\/pre><\/div>\n\n\n\n\uc548\uc804\ud558\uc9c0 \uc54a\uc740 \uc0ac\uc6a9\uc790 \uc785\ub825 \ucc98\ub9ac\ub97c \ud560 \uacbd\uc6b0, \uc0ac\uc6a9\uc790\uac00 \ub85c\uadf8\uc778 \ud3fc\uc5d0 \ub2e4\uc74c\uacfc \uac19\uc774 \uc785\ub825\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4:<\/p>\n\n\n\n
\n- \uc0ac\uc6a9\uc790 \uc774\ub984: admin’ —<\/li>\n\n\n\n
- \ube44\ubc00\ubc88\ud638: \uc544\ubb34 \uac12\ub3c4 \uc785\ub825\ud558\uc9c0 \uc54a\uc74c<\/li>\n<\/ul>\n\n\n\n
\uc774 \uc785\ub825\uc744 \uadf8\ub300\ub85c \ucffc\ub9ac\uc5d0 \uc0bd\uc785\ud558\uba74 SQL \ucffc\ub9ac\ub294 \ub2e4\uc74c\uacfc \uac19\uc774 \ubcc0\ud615\ub429\ub2c8\ub2e4:<\/p>\n\n\n\n
SELECT * FROM users WHERE username = 'admin' --' AND password = ''\n<\/pre><\/div>\n\n\n\n\uc5ec\uae30\uc11c –\ub294 SQL\uc5d0\uc11c \uc8fc\uc11d\uc744 \uc2dc\uc791\ud558\ub294 \ud45c\uc2dc\uc785\ub2c8\ub2e4. \ub530\ub77c\uc11c ‘ AND password = ” \ubd80\ubd84\uc740 \uc8fc\uc11d \ucc98\ub9ac\ub418\uc5b4 \uc2e4\ud589\ub418\uc9c0 \uc54a\uc2b5\ub2c8\ub2e4. \uacb0\uacfc\uc801\uc73c\ub85c, \uc774 \ucffc\ub9ac\ub294 \ub2e8\uc9c0 username = ‘admin’ \uc870\uac74\ub9cc\uc744 \uac80\uc0ac\ud558\uac8c \ub418\uc5b4, \ube44\ubc00\ubc88\ud638\ub97c \uac80\uc0ac\ud558\uc9c0 \uc54a\uace0 admin \uc0ac\uc6a9\uc790\ub85c \ub85c\uadf8\uc778 \ud560 \uc218 \uc788\uac8c \ub429\ub2c8\ub2e4.<\/p>\n\n\n\n
“1=1” \uc0ac\uc6a9 \uc2dc<\/h3>\n\n\n\n
“1=1″\uc744 \uc0ac\uc6a9\ud558\ub294 \uacf5\uaca9 \uc608\ub294 \ub2e4\uc74c\uacfc \uac19\uc2b5\ub2c8\ub2e4:<\/p>\n\n\n\n
\n- \uc0ac\uc6a9\uc790 \uc774\ub984 \uc785\ub825: anything’ OR ‘1’=’1<\/li>\n\n\n\n
- \ube44\ubc00\ubc88\ud638 \uc785\ub825: \uc544\ubb34 \uac12\ub3c4 \uc785\ub825\ud558\uc9c0 \uc54a\uc74c<\/li>\n<\/ul>\n\n\n\n
\uc774 \uacbd\uc6b0 SQL \ucffc\ub9ac\ub294 \ub2e4\uc74c\uacfc \uac19\uc774 \ubcc0\ud615\ub429\ub2c8\ub2e4:<\/p>\n\n\n\n
SELECT * FROM users WHERE username = 'anything' OR '1'='1' AND password = ''\n<\/pre><\/div>\n\n\n\n“1=1” \uc870\uac74\uc740 \ud56d\uc0c1 \ucc38\uc774\ubbc0\ub85c, \uc774 \ucffc\ub9ac\ub294 \ubaa8\ub4e0 \uc0ac\uc6a9\uc790\ub97c \ubc18\ud658\ud560 \uac00\ub2a5\uc131\uc774 \ub192\uc2b5\ub2c8\ub2e4. \uacb0\uacfc\uc801\uc73c\ub85c, \uacf5\uaca9\uc790\ub294 \ube44\ubc00\ubc88\ud638\ub97c \ubaa8\ub974\ub354\ub77c\ub3c4 \uc5b4\ub5a4 \uacc4\uc815\uc73c\ub85c\ub4e0 \ub85c\uadf8\uc778\ud560 \uc218 \uc788\uac8c \ub429\ub2c8\ub2e4.<\/p>\n\n\n\n
\ubc29\uc9c0 \ubc29\ubc95<\/h3>\n\n\n\n\n- \ud30c\ub77c\ubbf8\ud130\ud654\ub41c \ucffc\ub9ac \uc0ac\uc6a9:<\/strong> \uc0ac\uc6a9\uc790 \uc785\ub825\uc744 \ucffc\ub9ac\uc758 \ud30c\ub77c\ubbf8\ud130\ub85c \uc804\ub2ec\ud558\uc5ec, \uc785\ub825\uc774 SQL \ucf54\ub4dc\uc758 \uc77c\ubd80\ub85c \ud574\uc11d\ub418\uc9c0 \uc54a\ub3c4\ub85d \ud569\ub2c8\ub2e4.<\/li>\n\n\n\n
- \uc785\ub825 \uac80\uc99d:<\/strong> \uc0ac\uc6a9\uc790 \uc785\ub825\uc5d0 \ub300\ud574 \uc5c4\uaca9\ud55c \uc720\ud6a8\uc131 \uac80\uc0ac\ub97c \uc218\ud589\ud558\uace0, \uc608\uc0c1 \uac00\ub2a5\ud55c \uac12\ub9cc \ud5c8\uc6a9\ud569\ub2c8\ub2e4.<\/li>\n\n\n\n
- \ucd5c\uc18c \uad8c\ud55c \uc6d0\uce59 \uc801\uc6a9:<\/strong> \ub370\uc774\ud130\ubca0\uc774\uc2a4 \uc0ac\uc6a9\uc790 \uad8c\ud55c\uc744 \ucd5c\uc18c\ud654\ud558\uc5ec, \uacf5\uaca9\uc774 \uc131\uacf5\ud558\ub354\ub77c\ub3c4 \ud53c\ud574\ub97c \ucd5c\uc18c\ud654\ud569\ub2c8\ub2e4.<\/li>\n\n\n\n
- \uc5d0\ub7ec \uba54\uc2dc\uc9c0 \uad00\ub9ac:<\/strong> SQL \ucffc\ub9ac \uc624\ub958 \uba54\uc2dc\uc9c0\uac00 \uc0ac\uc6a9\uc790\uc5d0\uac8c \ubcf4\uc5ec\uc9c0\uc9c0 \uc54a\ub3c4\ub85d \ud558\uc5ec, \uacf5\uaca9\uc790\uac00 \uc2dc\uc2a4\ud15c \uc815\ubcf4\ub97c \uc218\uc9d1\ud558\ub294 \uac83\uc744 \ubc29\uc9c0\ud569\ub2c8\ub2e4.<\/li>\n<\/ul>\n\n\n\n
\uc774\ub7ec\ud55c \ubcf4\uc548 \uc870\uce58\ub4e4\uc744 \ud1b5\ud574 SQL Injection \uacf5\uaca9\uc744 \ud6a8\uacfc\uc801\uc73c\ub85c \ubc29\uc9c0\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4.<\/p>\n\n\n\n
\ud30c\ub77c\ubbf8\ud130\ud654\ub41c \ucffc\ub9ac\ub97c \uc0ac\uc6a9\ud558\uba74 SQL Injection \uacf5\uaca9\uc744 \ub300\ubd80\ubd84 \ub9c9\uc744 \uc218 \uc788\uc2b5\ub2c8\ub2e4. \ud30c\ub77c\ubbf8\ud130\ud654\ub41c \ucffc\ub9ac\ub294 \uc0ac\uc6a9\uc790 \uc785\ub825\uc744 SQL \uba85\ub839\uc758 \uc77c\ubd80\ub85c \uc9c1\uc811 \uc870\ud569\ud558\ub294 \ub300\uc2e0\uc5d0, \ub9e4\uac1c\ubcc0\uc218\ub97c \uc0ac\uc6a9\ud574 \ub3c5\ub9bd\uc801\uc73c\ub85c SQL \uba85\ub839\uacfc \ub370\uc774\ud130\ub97c \ucc98\ub9ac\ud569\ub2c8\ub2e4. \uc774\ub294 \uc0ac\uc6a9\uc790 \uc785\ub825\uc774 SQL \ucf54\ub4dc\ub85c \ud574\uc11d\ub418\ub294 \uac83\uc744 \ubc29\uc9c0\ud569\ub2c8\ub2e4.<\/p>\n\n\n\n
\uc791\ub3d9 \uc6d0\ub9ac<\/h3>\n\n\n\n
\ud30c\ub77c\ubbf8\ud130\ud654\ub41c \ucffc\ub9ac\ub294 SQL \uba85\ub839\uc774 \ub370\uc774\ud130\ubca0\uc774\uc2a4\uc5d0 \ucef4\ud30c\uc77c\ub420 \ub54c \uc774\ubbf8 \uad6c\uc870\uac00 \uacb0\uc815\ub418\uc5b4 \uc788\uae30 \ub54c\ubb38\uc5d0, \uc0ac\uc6a9\uc790 \ub370\uc774\ud130\ub294 \ubb38\uc790\uc5f4\uc774\ub098 \uc22b\uc790 \ub4f1\uc758 \ub370\uc774\ud130\ub85c\ub9cc \ucc98\ub9ac\ub418\uba70, SQL \ucf54\ub4dc\uc758 \uc77c\ubd80\ub85c \uc2e4\ud589\ub420 \uc218 \uc5c6\uc2b5\ub2c8\ub2e4. \uc608\ub97c \ub4e4\uc5b4, \uacf5\uaca9\uc790\uac00 \uc785\ub825\ub780\uc5d0 “1=1″\uc774\ub098 “` OR ‘1’=’1″\uc640 \uac19\uc740 \uc870\uac74\uc744 \uc785\ub825\ud558\ub354\ub77c\ub3c4, \uc774 \uc785\ub825\uc740 \ub2e8\uc21c\ud55c \ubb38\uc790\uc5f4 \ub370\uc774\ud130\ub85c \uac04\uc8fc\ub418\uace0, SQL \uba85\ub839\uc758 \uc77c\ubd80\ub85c\uc11c \uc2e4\ud589\ub418\uc9c0 \uc54a\uc2b5\ub2c8\ub2e4.<\/p>\n\n\n\n
\uc608\uc2dc<\/h3>\n\n\n\n
\ud30c\ub77c\ubbf8\ud130\ud654\ub41c \ucffc\ub9ac\ub97c \uc0ac\uc6a9\ud558\ub294 \ubc29\uc2dd\uc744 \uc608\ub85c \ub4e4\uc5b4\ubcf4\uaca0\uc2b5\ub2c8\ub2e4. \uc0ac\uc6a9\uc790\uac00 \ub85c\uadf8\uc778 \ud3fc\uc5d0 \uc0ac\uc6a9\uc790 \uc774\ub984\uc744 \uc785\ub825\ud558\ub294 \uacbd\uc6b0\ub97c \uc0dd\uac01\ud574 \ubd05\uc2dc\ub2e4:<\/p>\n\n\n\n
string userQuery = \"SELECT * FROM users WHERE username = @username AND password = @password\";\nSqlCommand command = new SqlCommand(userQuery, connection);\ncommand.Parameters.AddWithValue(\"@username\", username); \/\/ \uc0ac\uc6a9\uc790 \uc785\ub825\ncommand.Parameters.AddWithValue(\"@password\", password); \/\/ \uc0ac\uc6a9\uc790 \uc785\ub825\n<\/pre><\/div>\n\n\n\n\uc5ec\uae30\uc11c username\uacfc password\ub294 \uc0ac\uc6a9\uc790\ub85c\ubd80\ud130 \uc785\ub825\ubc1b\uc740 \uac12\uc774\uc9c0\ub9cc, \uc774\ub4e4\uc740 SQL \uba85\ub839\uc758 \uc77c\ubd80\uac00 \uc544\ub2cc \ub9e4\uac1c\ubcc0\uc218\ub85c \uc804\ub2ec\ub429\ub2c8\ub2e4. \ub530\ub77c\uc11c “admin’ –” \ub610\ub294 “anything’ OR ‘1’=’1″\uacfc \uac19\uc740 \uc785\ub825\uc774 \ub4e4\uc5b4\uc640\ub3c4 SQL \uba85\ub839\uc774 \ubcc0\uacbd\ub418\uc9c0 \uc54a\uc73c\uba70, \ud574\ub2f9 \ubb38\uc790\uc5f4\uc740 \ub2e8\uc21c\ud55c \uc870\uac74 \uac12\uc73c\ub85c\ub9cc \ucc98\ub9ac\ub429\ub2c8\ub2e4.<\/p>\n\n\n\n
\uc548\uc804\uc131 \uac15\ud654<\/h3>\n\n\n\n
\ud30c\ub77c\ubbf8\ud130\ud654\ub41c \ucffc\ub9ac\ub294 SQL Injection\uc744 \ub9e4\uc6b0 \ud6a8\uacfc\uc801\uc73c\ub85c \ubc29\uc9c0\ud558\uc9c0\ub9cc, \uc774 \uc678\uc5d0\ub3c4 \uc5ec\ub7ec \ubcf4\uc548 \uc218\uce59\uc744 \ub3d9\uc2dc\uc5d0 \uc801\uc6a9\ud558\ub294 \uac83\uc774 \uc88b\uc2b5\ub2c8\ub2e4. \uc774\ub7ec\ud55c \uc218\uce59\uc5d0\ub294 \uc0ac\uc6a9\uc790 \uc785\ub825 \uac80\uc99d, \uad8c\ud55c \uae30\ubc18\uc758 \ub370\uc774\ud130 \uc811\uadfc, \uc560\ud50c\ub9ac\ucf00\uc774\uc158\uc758 \ubcf4\uc548 \ub85c\uadf8 \uac10\uc0ac \ub4f1\uc774 \ud3ec\ud568\ub429\ub2c8\ub2e4. \uc774\ub7ec\ud55c \ubc29\ubc95\ub4e4\uc744 \uc885\ud569\uc801\uc73c\ub85c \uc0ac\uc6a9\ud568\uc73c\ub85c\uc368 \uc560\ud50c\ub9ac\ucf00\uc774\uc158\uc758 \ubcf4\uc548\uc744 \ud55c\uce35 \ub354 \uac15\ud654\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4.<\/p>\n\n\n\n
SQL \ucffc\ub9ac\uc758 \uc870\uac74\uc5d0\uc11c \uc0ac\uc6a9\ub41c \ub17c\ub9ac\uc801 \uad6c\uc131\uc744 \uc774\ud574\ud558\ub294 \uac83\uc740 \uc911\uc694\ud569\ub2c8\ub2e4. \uc8fc\uc5b4\uc9c4 \ucffc\ub9ac:<\/p>\n\n\n\n
SELECT * FROM users WHERE username = 'anything' OR '1'='1' AND password = ''\n<\/pre><\/div>\n\n\n\n\uc774 \ucffc\ub9ac\ub294 SQL\uc758 \ub17c\ub9ac \uc5f0\uc0b0\uc790 \uc6b0\uc120\uc21c\uc704\ub97c \uace0\ub824\ud560 \ub54c \uc5b4\ub5bb\uac8c \ud574\uc11d\ub418\ub294\uc9c0 \ud655\uc778\ud574\uc57c \ud569\ub2c8\ub2e4. SQL\uc5d0\uc11c\ub294 AND \uc5f0\uc0b0\uc790\uac00 OR \uc5f0\uc0b0\uc790\ubcf4\ub2e4 \ub192\uc740 \uc6b0\uc120\uc21c\uc704\ub97c \uac00\uc9d1\ub2c8\ub2e4. \ub530\ub77c\uc11c \uc774 \ucffc\ub9ac\ub294 \ub2e4\uc74c\uacfc \uac19\uc774 \uad04\ud638\ub97c \uc801\uc6a9\ud55c \uac83\uacfc \uac19\uc740 \ubc29\uc2dd\uc73c\ub85c \ud574\uc11d\ub429\ub2c8\ub2e4:<\/p>\n\n\n\n
SELECT * FROM users WHERE username = 'anything' OR ('1'='1' AND password = '')\n<\/pre><\/div>\n\n\n\nTrue\/False \uac12 \ud3c9\uac00:<\/h3>\n\n\n\n\n- ‘1’=’1′<\/strong>: \uc774 \uc870\uac74\uc740 \ud56d\uc0c1 \ucc38\uc785\ub2c8\ub2e4. \uc989, \uc774 \ubd80\ubd84\uc740 \ubb34\uc870\uac74 True\ub97c \ubc18\ud658\ud569\ub2c8\ub2e4.<\/li>\n\n\n\n
- AND password = ”<\/strong>: \uc774 \uc870\uac74\uc740 password \ud544\ub4dc\uac00 \ube48 \ubb38\uc790\uc5f4\uc778 \uacbd\uc6b0\uc5d0 \ucc38\uc785\ub2c8\ub2e4.<\/li>\n\n\n\n
- ‘1’=’1′ AND password = ”<\/strong>: \ub530\ub77c\uc11c \uc774 \uc804\uccb4 \uc870\uac74\uc740 password \ud544\ub4dc\uac00 \ube48 \ubb38\uc790\uc5f4\uc77c \ub54c\ub9cc \ucc38\uc785\ub2c8\ub2e4.<\/li>\n\n\n\n
- username = ‘anything’<\/strong>: \uc774 \uc870\uac74\uc740 username \ud544\ub4dc\uac00 ‘anything’\uc73c\ub85c \uc124\uc815\ub41c \ub808\ucf54\ub4dc\uc5d0 \ub300\ud574 \ucc38\uc785\ub2c8\ub2e4.<\/li>\n\n\n\n
- username = ‘anything’ OR (‘1’=’1’ AND password = ”)<\/strong>: \uc774 \uc804\uccb4 \uc870\uac74\uc740 username\uc774 ‘anything’\uc774\uac70\ub098 password\uac00 \ube48 \ubb38\uc790\uc5f4\uc778 \ubaa8\ub4e0 \ub808\ucf54\ub4dc\uc5d0 \ucc38\uc774 \ub429\ub2c8\ub2e4.<\/li>\n<\/ol>\n\n\n\n
\uacb0\uacfc\uc801\uc73c\ub85c:<\/h3>\n\n\n\n
\uc774 \ucffc\ub9ac\ub294 \ub370\uc774\ud130\ubca0\uc774\uc2a4\uc5d0\uc11c username\uc774 ‘anything’\uc778 \ubaa8\ub4e0 \ub808\ucf54\ub4dc\ub97c \uc120\ud0dd\ud558\uac70\ub098, \ubaa8\ub4e0 \uc0ac\uc6a9\uc790 \uc911 password\uac00 \ube48 \ubb38\uc790\uc5f4\uc778 \ub808\ucf54\ub4dc\ub97c \uc120\ud0dd\ud569\ub2c8\ub2e4. ‘1’=’1’\uc774 \ud56d\uc0c1 \ucc38\uc774\uae30 \ub54c\ubb38\uc5d0, AND password = ” \uc870\uac74\uacfc \uacb0\ud569\ub420 \ub54c\uc5d0\ub9cc \uc720\ud6a8\ud55c \ucc38\uc774 \ub429\ub2c8\ub2e4. \ud558\uc9c0\ub9cc OR \uc5f0\uc0b0\uc790 \ub54c\ubb38\uc5d0, username = ‘anything’\uc774 \ucc38\uc778 \uacbd\uc6b0\uc5d0\ub294 password\uc758 \uac12\uc5d0 \uc0c1\uad00\uc5c6\uc774 \ud574\ub2f9 \ub808\ucf54\ub4dc\uac00 \uc120\ud0dd\ub429\ub2c8\ub2e4.<\/p>\n\n\n\n
\uc774\ub7ec\ud55c \ucffc\ub9ac\ub294 SQL Injection\uc758 \uc804\ud615\uc801\uc778 \uc608\ub85c \uc0ac\uc6a9\ub420 \uc218 \uc788\uc73c\uba70, \ud30c\ub77c\ubbf8\ud130\ud654\ub41c \ucffc\ub9ac\ub97c \uc0ac\uc6a9\ud558\uc9c0 \uc54a\ub294 \uacbd\uc6b0 \ubcf4\uc548\uc5d0 \ucde8\uc57d\ud569\ub2c8\ub2e4.<\/p>\n","protected":false},"excerpt":{"rendered":"