Subsequent to the

I have sorted out many draft articles that need to be published before. This article about the follow-up has been placed at the bottom of the nuggets draft box, so I haven’t noticed it until now. Please forgive me.

On December 16, 2019, at 8:30 in the morning, I posted my first article on this platform on The Nuggets titled “Get some trouble, write a bug caught by the national information security Vulnerability sharing platform?” , the article mainly described the event that a bug in the open source project Newbee-Mall was included by CNVD, the national information security vulnerability sharing platform, and CVE, the international security vulnerability database. Maybe the article is written very funny, people also feel interesting, so the reading volume is not bad:

Released at 8:30, 3 hours later to see the 4K reading amount, see here I am really worried, although I have written for several years, but for the Nuggets, I am still a newcomer, so special thanks for your support!

Thought that article has finished the whole incident, but there are friends in the following message, there are friends in the group of send message to me, let me make some small extension, and writing this article, therefore, about the following things and friends asked a few questions, but there are too many articles in draft box, lead to ignore this one, It should have been sent at the end of last year, but it was only sent at the end of March now, embarrassing.

My dream is to have my own CVE number

My dream is to have a CVE number of my own.

See here, I am a little confused, I do not know why son, I dare not ask.

Although I have experienced the CVE and CNVD events, I am still a little strange to CVE, so WHEN I saw the above dialogue, I do not know whether it is true or not, I always feel they are teasing me.

Of course, I don’t know, so I go to study. I have an idea: “CVE numbers are valuable”, but I don’t know anything about them, so I don’t think it’s a thing in the developer community, it’s more like a term and a thing in the network security community, and then I looked up some CVE information in my spare time.

CVE as I understand it

Because is not special understanding, I just talk about own idea simply, if have improper place still hope forgive.

What is a CVE

The CVE, which stands for Common Vulnerabilities and Exposures, translated into Chinese for “Public Vulnerabilities and Exposures,” can be interpreted as a dictionary of Vulnerabilities approved by security practitioners, and, by extension, security practitioners, this stuff is really not for the developer community, Therefore, it is normal to feel strange. You can find the vulnerability information of different applications or systems on the CVE official website by CVE number. Many security enterprises or national institutions will also cite CVE as their vulnerability database, for example, CNVD mentioned in the previous article is our domestic vulnerability database.

CVE numbers are valuable

Finished with CVE, let’s go on to talk about the value of CVE numbering, the following content is mainly sorted out through some content on the Internet.

First of all, it is possible to directly receive a bonus for submitting a CVE bug, but different organizations may have different bug reward programs, and different bug reward levels will be different. If you submit valuable information, you are likely to receive a bonus. Second, even if not directly get bonus, you can also obtain some valuable by submitting a CVE vulnerability CVE number, this content can be on your resume, also can be a pluses and looking for a job, such as our developers making warehouse operations or blog post, also can put in as bonus items in our CVS.

The above is my superficial understanding of the value of CVE number, there may be other greater value, but I do not know, so I will not continue to embarrass.

other

CVE number is required to take the initiative to apply for, just like applying for an account, in short, to the corresponding website to fill in the form, then is the audit of the vulnerability, vulnerability and other steps, if all goes well and the vulnerability is real, you can get a CVE number.

In addition, obtaining the CVE number does not mean that the vulnerability is valuable, or even that the vulnerability is not necessarily real. For example, the SQL injection vulnerability of the NewBee-Mall project mentioned above, although the vulnerability is real, it does not affect network security greatly. Personally feel the value of this CVE number is not big, but this mistake incident scared me not light.

SQL injection problem resolved

${} = ${} = ${} = ${} = ${} = ${} = ${} However, there is a risk of SQL injection, so it needs to be removed. The solution is to change the parameter parsing to #{}.

#{paramentName} is a precompilation process. MyBatis will parse the SQL statement #{} into a parameter placeholder, and then call the PreparedStatement set method to assign the value. The value is surrounded by single quotes, such as the keyword parameter passed in as computer, which becomes’ computer ‘when concatenated into an SQL statement.

${paramentName} is a string substitution. MyBatis will replace the value of the variable with the value of the variable in the SQL statement. It’s still a computer when it’s spliced into a SQL statement.

${} can cause SQL injection problems, which is bad for system security. Because this method is a direct substitution, the value will be concatenated whatever value is passed in. If some SQL keywords are concatenated maliciously, it can cause irreversible damage. Will be parsed to a string.

If you want to know more about the difference between $and # in Mybatis, you can check it out.

Never absent from the advertising party

This advertisement, appeared N times in this article, heart tired.

I’m really poking a monkey nest here.

Every time I will ask the administrator to help clean up a wave, it is really hard everyone.

Write in the last

For a small promotion, interested friends can have a look, RECENTLY I published a small book on the Gold digging platform “Spring Boot Large-scale online mall Project Practical Tutorial” (click the link or click on the picture below to buy 20% off oh) :

Small volume will be around the Spring Boot technology stack, the use of other technical framework will also take into account the latest technology trends, to expand the knowledge, from shallow to deep, step by step, in the study of the foundation at the same time can also master certain development skills, not only learn Spring Boot fur, but also know its source code design and internal principles, Not only learning the integration of Spring Boot related technology stack, but also using Spring Boot technology stack to build a large mall system, so that you can have a high-quality learning experience. Stay away from the Hello World project, so that you can not only get a complete hands-on project, but also help you click on the current hot Spring Boot technology stack, for your technical depth and salary promotion to provide sufficient guarantee.

This is a mall actual combat project, part of the page preview is as follows:

Interested friends can pay attention to it.

In addition to indicate the reprint/source, all for the author’s original, welcome to reprint, but without the consent of the author must retain this statement, and give the original link in the obvious position of the article page, otherwise reserve the right to pursue legal responsibility.

Thank you for watching, I am 13, the article first appeared in my public account “programmer’s Short story”.