English | 简体中文 | 繁體中文 | Русский язык | Français | Español | Português | Deutsch | 日本語 | 한국어 | Italiano | بالعربية
What is SQL injection attack?63Two, how to prevent&}}
So-called SQL injection attacks refer to attackers inserting SQL commands into the input fields of web forms or the query strings of page requests to deceive the server into executing malicious SQL commands. In some forms, the user's input content is directly used to construct (or affect) dynamic SQL commands or as input parameters for stored procedures, making these forms particularly vulnerable to SQL injection attacks. Common SQL injection attack processes are like:
⑴ An ASP.NET Web application has a login page that controls whether a user has the right to access the application. It requires the user to enter a name and password.
⑵ The content entered on the login page is directly used to construct dynamic SQL commands or used directly as parameters for stored procedures. Here is an example of how an ASP.NET application constructs a query:
System.Text.StringBuilder query = new System.Text.StringBuilder("SELECT * from Users WHERE login = '")) Append(txtLogin.Text).Append("' AND password='") Append(txtPassword.Text).Append("'");
⑶ The attacker inputs "' or '" in the username and password input fields.1=1
⑷ After the user's input is submitted to the server, the server runs the above ASP.NET code to construct the SQL command for querying the user, but due to the very special content entered by the attacker, the final SQL command becomes: SELECT * from Users WHERE login = '' or '1=1AND password = '' or '1=1
⑸ The server executes queries or stored procedures, comparing the user's identity information entered and the identity information saved on the server.
⑹ Since the SQL command has actually been modified by injection attacks and can no longer truly verify the user's identity, the system will mistakenly authorize the attacker.
If an attacker knows that the application will directly use the content entered in the form for verification queries, they will attempt to input certain special SQL strings to tamper with the query and change its original function, tricking the system into granting access permissions.
Different system environments can lead to varying levels of damage caused by attackers, which is mainly determined by the security permissions of the application accessing the database. If the user's account has administrative privileges or other higher-level permissions, attackers may perform various operations on the database tables as they wish, including adding, deleting, or updating data, and even potentially directly deleting tables.
二、如何防范?Two, how to prevent&}}
;
(1For scenarios where dynamic SQL queries are constructed, the following techniques can be used:
First:Replace single quotes, that is, change all single quotes that appear alone into two single quotes to prevent attackers from modifying the meaning of the SQL command. Looking at the example before, “SELECT * from Users WHERE login = ''' or ''1''=''1AND password = ''' or ''1''=''1’”obviously will get the same result as “SELECT * from Users WHERE login = '' or '1=1AND password = '' or '1=1different results.
Second:Delete all hyphens from the user input content to prevent attackers from constructing something like “SELECT * from Users WHERE login = 'mas' —— AND password =''”such queries, because the latter part of such queries has been commented out and is no longer valid. Attackers only need to know a valid user login name to successfully obtain access permissions without even needing to know the user's password.
Third:Limit the permissions of the database account used to execute queries. Perform queries, insertions, updates, and deletions using different user accounts. Since the operations that different accounts can perform are isolated, it also prevents the place originally used to execute SELECT commands from being used to execute INSERT, UPDATE, or DELETE commands.
(2Execute all queries using stored procedures. The way SQL parameters are passed will prevent attackers from using single quotes and hyphens to launch attacks. In addition, it allows database permissions to be restricted to only allow specific stored procedures to be executed, and all user inputs must comply with the security context of the stored procedure being called, making it very difficult for injection attacks to occur.
(3Limit the length of form or query string input. If the maximum length of the user's login name is only10characters, then do not recognize the input in the form.10characters or more, which will greatly increase the difficulty for attackers to insert malicious code into SQL commands.
(4Check the legality of the user input to ensure that the input content only contains valid data. Data verification should be performed on both the client and server sides - the reason for executing server-side verification is to compensate for the fragile security of the client-side verification mechanism.
On the client side, it is completely possible for an attacker to obtain the source code of the web page, modify the script for verifying legitimacy (or directly delete the script), and then submit illegal content to the server through the modified form. Therefore, the only way to ensure that the verification operation has been executed is to also execute the verification on the server side. You can use many built-in validation objects, such as RegularExpressionValidator, which can automatically generate client-side scripts for validation. Of course, you can also insert server-side method calls. If there are no ready-made validation objects, you can create one yourself through CustomValidator.
(5) Encrypt and save user login names, passwords, and other data. Encrypt the user input data and then compare it with the data saved in the database, which is equivalent to disinfecting the user input data. The user input data no longer has any special meaning to the database, thereby preventing attackers from injecting SQL commands. The System.Web.Security.FormsAuthentication class has a HashPasswordForStoringInConfigFile method that is very suitable for disinfecting input data.
(6) Check the number of records returned by the query used to extract data. If the program only requires one record to be returned, but the actual number of records returned exceeds one line, it should be treated as an error.
(7Use prepared statements
That's all for this article. I hope the content of this article can bring some help to everyone's learning or work, and I also hope to get more support for the Shouting Tutorial!
Declaration: The content of this article is from the Internet, and the copyright belongs to the original author. The content is contributed and uploaded by Internet users spontaneously, and this website does not own the copyright, has not been manually edited, and does not assume any relevant legal liability. If you find any content suspected of copyright infringement, please send an email to: notice#oldtoolbag.com (Please replace # with @ when sending an email to report violations, and provide relevant evidence. Once verified, this site will immediately delete the content suspected of infringement.)