Prevent query statement database injection vulnerability attacks

To put it simply, SQL injection refers to the process of passing SQL code to the application, but it is not inserted as scheduled or expected by application developers, A considerable number of programmers did not judge the legitimacy of user input data when writing code, posing a security risk to the application. This vulnerability is not implemented by the system, but is ignored by programmers in programming. The original cause of SQL injection vulnerability attacks is to use illegal parameters to obtain sensitive information, collect and sort out, and analyze the Administrator account and password.

When developing an application, especially for queries on database information, the query statement may contain a concatenation string injection vulnerability, which may cause user data leakage. How can we prevent such vulnerabilities.

You can set parameters for the query statement as follows:

Using (Sqlconnection cn = new sqlconnection ("connection string "))

{

Cn. open ();

Using (sqlcommand cmd = cn. creatcommand ())

{

Cmd. commandtext = "select * from T_table where name = '" + textbox. text + "'";

(If you enter 1' or '1' = '1 in the text box), you can obtain the database information. This may cause information leakage. The solution is to introduce parameters. The method is as follows.

Cmd. commandtext = "select * from T_table where name = @ Name ";

Cmd. Parameters. Add (new sqlParameter ("@ Name", textbox. text ))};

In this way, the query data will be compared from the database, and no injection vulnerability attacks will occur.

}

}

Each time an SQL statement is required to write database operations, such as the following SQL statement used to verify login:

String strSql = "select * from Table Where UserName = '" + textBoxUserName. Text +' "and UserPassord = '" + textBoxPassword. Text + "'";
Or
String strSql = string. Format ("select * from Table where UserName = '{0}' and UserPassword = '{1}'", textBoxUserName. Text, textBoxPassword. Text );
In the preceding sentence, the SQL statements for database operations are written using String concatenation. This method is a common SQL statement written for database operations by programmers in the early stage and beginners, in the above Code, textBoxUserName is the user name submitted by the user in the textBoxUserName text box, textUserpassword is the password submitted by the user in the textUserpassword text box, in an ideal state, the user in order to attack the system, A user (a hacker) may attempt to tamper with SQL statements to log on. For example, you may enter the following statement in the User Name text box:
1' or 1 = 1 --

Next we will substitute the preceding statement into the SQL statement used for logon to obtain the following SQL statement:
Select * from Table where UserId = '1' or 1 = 1 -- 'and UserName =''
I have learned a little about Database SQL statements, and soon I will find that the above sentence is abnormal. This SQL statement will return all the data in the Table, which is what hackers can take advantage, hackers can use this method to successfully log on to the Table and obtain all information about the Table. The following explain this SQL statement: If only select * from Table is used, all information of the Table will be returned. After where, it is the query condition and 1 = 1 is always True, whether User = '1' is True or False, UserId = '1' or 1 = 1 is True. As for -- and UserName = '', because the two hyphens (--) are the comment mark of MS SQL Server (My SQL and Oracle databases use the same technology, however, My SQL uses the annotator as the symbol # And Oracle uses the semicolon;). -- the subsequent content is commented out when it is passed to the database for query, so -- the following content will be useless, and the SQL statement will not be executed, so the query condition after where will always be True. In summary, the preceding SQL query statement returns all information about the Table!

Through this SQL syntax vulnerability, hackers can achieve their goals, but SQL injection attacks are definitely not limited to this type. There are many complicated ones, so I will not talk about them anymore. Next I will talk about how to prevent SQL injection attacks in. NET.
What we can do, without modifying the preceding SQL query statement, is to use the MaxLength attribute of the TextBox control, so as to enter the number of characters typed by hackers, in this way, hackers can send a large number of illegal commands to the server. However, this method is just to hide your ears and cannot solve the problem. The second method is to delete the single quotation marks in user input. The method is to add one or more single quotation marks after the single quotation marks, or use spaces to replace single quotation marks. This can prevent such attacks. However, the limitation is that if the user name or password contains single quotes, it is not feasible!

The most perfect method is to use ADO. NET Command object parameter set. In the preceding SQL statement that can be exploited by SQL injection, the query is dynamically created by concatenating strings. here we can use ADO. the Parameters attribute of the NET Command object provides the function to pass the Parameters used to execute the SQL statement. In this method, the parameter name must be prefixed with the character @, for example, the following SQL query statement:
String strSql = "select * from Table where UserName = @ UserName and UserPassword = @ UserPassword ";
In this statement, @ UserName and @ UserPassword are the parameter names. You can use the following statement to pass values for this parameter:
SqlCommand cmd = new SqlCommand (strSql, conn );
SqlParameters [] pams = new SqlParameters ("@ UserName", textBoxUserName. Text), new SqlParameters ("@ UserPassword", textBoxPassword. Text ));
Cmd. Parameters. AddRange (pams );
Parameter names are case-insensitive. This method is also suitable for stored procedures and SqlDataAdapter objects.

The @ UserName and @ UserPassword names are used in the dynamically created SQL statement.Instead of splicing multiple character strings, you can use the Parameters set of the SqlCommand object to pass values. This method can safely create dynamic SQL connections. Parameters are not simply replaced by strings in SQL Server. SQL Server directly compares the added values with 0, so there is no SQL injection vulnerability.