Anti-SQL Injection for PHP websites and php SQL Injection

Anti-SQL Injection for PHP websites and php SQL Injection

Structured Query Language (SQL) is a Structured Query Language. SQL Injection inserts SQL commands into the query strings of the input fields or page Request Parameters of Web forms. When a Web form submits a GET or POST request to the Web server, if the server does not strictly verify the validity and validity of the parameters, the database server will execute malicious SQL commands.

SQL Injection Attack Process:

(1) determine whether Web applications can perform SQL injection.

(2) Search for SQL injection points.

(3) Guess the username and password.

(4) Search for the Web System Management Background portal.

(5) implement intrusion and destruction.

I. SQL Injection Vulnerability Testing Tool 1. Sqlmap

Sqlmap is an automated SQL injection tool. Its main function is to scan and discover and exploit the SQL injection vulnerability of a given URL. The databases currently supported are ms SQL Server, MySQL, oracle and postgresql. SQLMAP uses four unique SQL injection technologies: blind inference SQL injection, UNION query SQL injection, heap query, and time-based SQL blind injection. Its wide range of features and options include database fingerprints, enumeration, database extraction, access to the target file system, and the implementation of arbitrary commands when obtaining full operation permissions.

1.1 sqlmap Common commands

Target: You must set at least one of the options to set the Target URL.

-D DIRECT connects directly to the database.

-U URL, -- url = URL destination URL.

Request: these options can be used to specify how to connect to the target URL.

-Data = DATA string sent by POST.

-Cookie = cookie http Cookie header.

Optimization: these options can be used to optimize the performance of sqlmap.

-O all account opening optimization Switches

-- Threads = maximum HTTP (S) Request concurrency of THREADS (1 by default ).

Injection (Injection): these options can be used to specify which parameters to test.

-P TESTPARAMETER: testable parameter.

-- Prefix = PREFIX: injects the payload string prefix.

2 SQLIer

SQLIer can find a URL with the SQL injection vulnerability on the website and generate the SQL injection vulnerability based on the relevant information, but it does not require user interaction. In this way, it can generate a union select query, which can attack the Database Password. This program does not use quotation marks when exploiting vulnerabilities, which means it can adapt to multiple websites.

SQLIer uses "true/false" SQL to inject a strong password for the vulnerability. With the powerful password of the "true/false" SQL injection vulnerability, you cannot query data from the database. You can only query one statement that returns the "true" and "false" values.

According to statistics, it takes about one minute to crack an eight-character password (including any character in the ASCII code.

2.1 its syntax is as follows: sqlier [Option] [URL]

The options are as follows:

-C: [host] clears vulnerability exploitation information of the host.

-S: [seconds] The number of seconds to wait between webpage requests

-U: [user name] user names that are under severe attacks from the database, separated by commas

-W: [Option] submit [Option] To wget

In addition, this program also supports guessing the field name, there are several options:

-- Table-names [table name]: names of tables that can be guessed, separated by commas

-- User-fields [user field]: names of user name fields that can be guessed, separated by commas

-- Pass-fields [Password Field]: name of the password field that can be guessed, separated by commas

3 Pangolin

Pangolin is a security tool that helps penetration testers perform SQL injection tests. Pangolin and JSky (Web Application Security Vulnerability scanner and Web Application Security Evaluation Tool) are both products of NOSEC. Pangolin has a friendly graphical interface and supports testing almost all databases (Access, MSSql, MySql, Oracle, Informix, DB2, Sybase, PostgreSQL, and Sqlite ). Pangolin can maximize the attack test results through a series of very simple operations. It provides the test steps from the detection and injection to the final control target system. Pangolin is currently the most popular security software for SQL injection testing in China.

2. Prevent SQL injection attacks 1. filter input data (filter input)

A) When dynamically constructing SQL queries, you can replace and delete special characters.

B) Check the validity of user input to prevent illegal data input. Data check should be performed on the client and server. Server-side verification is performed to make up for the shortcomings of the client verification mechanism.

C) restrict the length range of form or query string input.

D) encrypt user login names, passwords, and other data.

2. Escape the data sent to the database (Escape output)

Use escape functions designed for custom databases whenever possible. If no, using the addslashes () function is a good method. Using the mysql_real_escape_string function for string parameters and using intval For numeric parameters, the floatval function is better for forced filtering. When all data used to create an SQL statement is properly filtered and escaped, the risk of SQL injection is actually avoided.

3. parameterized Query

Parameterized Query means that when a Web program implements a database Query, it does not directly assign values where values or data need to be submitted. Instead, it uses parameters to pass them to values.

Using parameterized query technology, the database server does not regard the parameter content as an integral part of the SQL command for processing. After the database system compiles the SQL command, it then loads the parameter for running. Therefore, even if the parameter contains instructions, it will not be compiled and run by the database.

4. Use stored procedures

Stored procedures are stored in the database system. Web applications execute stored procedures by calling them. This technology allows users to define variables, conditional execution, and other rich programming functions. The program developer uses the SQL query statement code built in advance by the stored procedure, and then transmits the value through parameters during use. Stored Procedures play three security roles in use: first, the stored procedure must be pre-compiled before execution, and compilation errors are not executed; second, authorized access to data is based on stored procedures rather than directly accessing basic tables. Attackers cannot detect select statements. Finally, stored procedures can specify and verify user-supplied value types.

However, stored procedures also have some limitations. If the commands executed in the stored procedure are concatenated strings, injection attacks may occur. In addition, stored procedures do not support all database platforms.

5. Use PDO to connect to the database

The best way to prevent SQL injection is not to set SQL commands and parameters, but to use PDO prepare and bind. The principle is to separate the SQL query command from the passed parameters. When prepare is used, DB server parses the SQL statement into an SQL command. When using bind, only the SQL commands parsed by DB Server are dynamically passed.

Iii. Summary

In addition to the preceding methods to prevent SQL injection attacks, you can also use URL Reset Technology, static pages, Error Blocking, and web application firewall. Through the above measures, SQL injection can prevent problems before they occur.