asp.net how to prevent SQL injection

Source: Internet
Author: User
Tags how to prevent sql injection sql injection sql injection attack

One, what is SQL injection-type attack?
  
A SQL injection attack is an attacker who inserts a SQL command into the input field of a Web form or a query string for a page request, tricking the server into executing a malicious SQL command. In some forms, user-entered content is used directly to construct (or affect) dynamic SQL commands, or as input parameters for stored procedures, which are particularly vulnerable to SQL injection attacks. Common SQL injection-type attack process classes such as:
  
⑴ a asp.net Web application has a login page that controls whether the user has access to the application, which requires the user to enter a name and password.
  
The content entered in the ⑵ login page will be used directly to construct a dynamic SQL command, or directly as a parameter to a stored procedure. The following is an example of the ASP.net application construct query:
  
System.Text.StringBuilder query = new System.Text.StringBuilder ("SELECT * from Users where login = ')". Append (Txtlogin.text). Append ("' and Password= '"). Append (txtPassword.Text). Append ("'");
  
⑶ the attacker to enter "' or ' 1 ' = ' 1" in the user's name and password input box.
  
After the ⑷ user input is submitted to the server, the server runs the ASP.net code to construct a query for the user's SQL command, but because the attacker's input is very special, the resulting SQL command becomes: SELECT * from Users where login = ' or ' 1 ' = ' 1 ' and password = ' or ' 1 ' = ' 1 '.
  
The ⑸ server executes a query or stored procedure that compares the identity information entered by the user to the identity information stored in the server.
  
⑹ because the SQL command has actually been modified by a injected attack and cannot really authenticate the user, the system is incorrectly authorized to the attacker.
  
If an attacker knew that the application would direct the content entered in the form to the authenticated query, he would try to enter some special SQL string tampering query to change its original function and deceive the system to grant access.
  
The system environment is different and the attacker may cause different damage, which is determined primarily by the security permissions that the application accesses the database. If the user's account has an administrator or other higher-level permissions, the attacker might perform various actions that he wants to do on the table of the database, including adding, deleting, or updating data, and possibly even deleting the table directly.
  
Second, how to prevent?
  
The good news is that it's not particularly difficult to prevent asp.net applications from being hacked into SQL, so just filter all the input before you construct the SQL command with what the form enters. Filter input can be done in a variety of ways.
  
⑴ for dynamically constructing SQL queries, you can use the following techniques:
  
First: Replace single quotes, that is, to change all individual single quotes into two single quotes, to prevent the attacker from modifying the meaning of the SQL command. To take a look at the previous example, "SELECT * from users where login = '" ' or ' 1 ' = ' 1 ' and password = ' ' or ' 1 ' = ' 1 ' "will obviously get with" select * from Users where login = ' or ' 1 ' = ' 1 ' and password = ' or ' 1 ' = ' 1 ' ' different result.
  
Second: Delete all hyphens in user input to prevent attackers from constructing queries such as "SELECT * from Users where login = ' mas '--and password = '" Because the latter part of such query has been commented out and no longer valid, attacking Anyone who knows a legitimate user login name does not need to know the user's password to gain access.
Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.