How do I prevent a Web site from being injected by SQL?

Mobile Internet development momentum has been far more than the PC Internet, mobile mobile internet access, as well as the amount of more than PC PC, with the mobile big data, blockchain technology in continuous improvement, mature, daily life will often hear a site is attacked, the site is black news reports, such as a group purchase site was invaded, The user's information privacy has been compromised, how many million member data stolen away, this is not intended to bring serious impact on the site and economic losses.

Like before the college entrance examination site was black, the students to check the entrance examination scores of this urgency, so that the attackers to destroy, resulting in the college entrance examination results can not be normal query, brought more worries in the mind with the examinee information may be exposed, immediately brought a series of economic fraud occurred, the above occurrence of various situations , all with the site security we're going to talk about today, about how to better prevent SQL injection attacks?

The site is black, after our sine security company over the years of security maintenance experience to summarize, generally due to the existence of loopholes in the website, most of the site is related to SQL injection vulnerability, MySQL database, Oracle database, SQL database, will be injected by SQL attacks, In turn, the Web site database information is taken off the trousers, this attack means generally in the access log and traffic statistics inside the site to find problems, SQL injection attack technology in recent years has been upgrading the change, attack features are also more alternative, even disguised as normal SQL statement to execute the attacker's malicious parameters.

Access to the site, users open the site and login, the use of the various web site interactive functions, the Linux server should be the front-end site users access and get Post,cookies submitted parameters for security filtering, the normal SQL statement execution to the database. And the attacker is the use of SQL statements to facilitate the execution of a malicious SQL injection statements executed into the database, such as querying the site administrator's account password, modify the site member's withdrawal bank card, modify the site's payment interface, payment account, through the database tamper bets, modify betting records, Modify member password or member's authentication information, bank card and other attack symptoms. In general, the attacker transforms a normal SQL statement into a malicious SQL injection statement that executes into a database and reads and writes queries.

So how do you better prevent the site from being injected into SQL?

First of all, we should conduct detailed security detection of the website program code, and site vulnerability detection, in the front-end of the site in a variety of ways to submit and inject detection, the code in the interaction with the user and direct transfer of the database to deal with the code to check to see if it can be doped with illegal SQL injection code in. Filter the GET, POST, and cookie submissions, filter special symbols, and filter and intercept symbols for some &*%￥#@/and more, as well as escape symbols. To the front-end of the Web site PHP security function of the variable filtering, Web site web-side JS filtering detection contains illegal parameters of SQL injection, such as some SQL injection code, and 1=1 1=2 Select Union and other queries such as filter statements.

String security filtering, the strings of and and delete,updata,char,master,chr.exec,mid,declare,or,count, etc. are strictly intercepted on the server side, When the user enters the value and the packet contains the above string, it is intercepted and recorded in the log to prevent the normal user interaction function.

The site can also use a WAF firewall, using a CDN for protection of SQL injection, the country can use Baidu CDN to prevent SQL injection attacks.

How do I prevent a Web site from being injected by SQL?