Shallow into shallow out SQL injection

has begun to learn the beef Brisket news release system, in the background code to talk about some refactoring SQLHelper knowledge, stored procedures and triggers, and so on, these have been touched before. SQL injection is not previously noticed, so stop to summarize and learn about SQL injection.

First, what is SQL injection?

Real- Combat Chapter ~~~~~~~~~~

  SQL injection concept

        &NBSP, so-called SQL injection, by inserting SQL commands into the Web form Submit or enter a query string for a domain name or page request, and eventually reach the spoofed server to execute a malicious sql command, such as many previous movie sites leaked vip The membership password is mostly through WEB form submission query characters are out of order, such forms are particularly susceptible to sql injection-type attack.

in Layman's words, when you enter some part of a query string in a browser Web page, this makes it possible for a malicious attacker to instruct the name and table of a Web site's connection database, which is caused by stitching strings. Small examples in the press release system:

code for the News category class insert function

public bool Insert (string caname)        {            BOOL flag = FALSE;            String sql = "INSERT into category (name) VALUES ('" + CAName + "')";};            int res = SqlHelper. ExecuteNonQuery (SQL, commandtype.text);             if (res > 0)//code snippet, press the table key twice consecutively to display the code snippet            {                flag = true;            }            return flag;        }

If this is the case: in the Page input box, enter a similar

-- Entertainment News ') Delete category where id=3-- statement will occur SQL injection.

in this case, it will be deleted when the entertainment news is inserted.IDto be3of that category. This isSQLinjected, causing the database to be unsafe because the string is exactly spliced,Insert Intocategory (name) VALUES ('Entertainment News')Delete Category whereid=3-

The workaround is to use the parameters to SQL The statement should become:

<summary>///Add category///        </summary>/        <param name= "CAName" > News category name </param>        //<returns></returns> public bool Insert (string caname)        {            BOOL flag = FALSE;            String sql = "INSERT into category (name) VALUES (@caName)";            Sqlparameter[] paras = new sqlparameter[] {                                                    new SqlParameter ("@caName", CAName)};            int res = SqlHelper. ExecuteNonQuery (SQL, paras, commandtype.text); Prevent SQL Injection            if (res > 0)//code snippet, press the table key twice consecutively to display the code snippet            {                flag = true;            }            return flag;        }

Why can parameterized queries prevent SQL injection?

1 , parameter filtering, actual execution in the database SQL Statement

2 , execution plan reuse

because parameterized queries can reuse execution plans, and if the execution plan is reused,the semantics thatSQL has to express will not change, so SQL injection can be prevented . If the execution plan cannot be reused, SQL injection is possible, as is the case with stored procedures, because the execution plan can be reused.

Extended Chapter ~~~~~~~~~~

SQL Injection Reason

The causes of SQL injection typically occur in the following ways:

1 , improper handling of types

2 , insecure database configuration

3 , unreasonable query set processing

4 , improper handling of errors

5 , the escape character processing is not appropriate

6 , multiple submissions are improperly handled

         SQLAn injection attack refers to passing in a parameter by constructing a special inputWebprograms, and these inputs are mostlySQLSome combination of the syntax, by executingSQLstatement and then executeThe main reason for an attacker's actions is that the program does not carefully filter the data entered by the user, causing illegal data intrusion into the system.    

Impact of SQL injection

SQL injection attacks occur when an application constructs a dynamic SQL statement to access the database by using the input content. SQL injection can also occur if your code uses stored procedures that are passed as strings that contain unfiltered user input. SQL injection may result in an attacker using an application to log in to execute commands in the database. The associated SQL injection can be done through the test tool pangolin. This can become a serious problem if your application connects to the database using an account that is too privileged. In some forms, user-entered content is used directly to construct dynamic SQL commands, or as input parameters to stored procedures, which are particularly susceptible to SQL injection attacks. While many web-site programs are written, there is no judgment on the legality of user input or improper handling of the variables in the program, which makes the application security hidden trouble. In this way, the user can submit a database query code, according to the results returned by the program to obtain some sensitive information or control the entire server, so SQL injection occurs.

Protect SQL injection

Since there is an impact of SQL injection, how can you prevent SQL injection?

1. Never trust the user's input. The user's input can be verified by means of regular expressions, or by limiting the length, by single quotes and

Dual "-" for conversion, and so on.

2. Never use dynamically assembled SQL, either using parameterized SQL or directly using stored procedures for data query access.

3. Never use a database connection with administrator rights, and use a separate limited database connection for each app.

4. Do not store confidential information directly, encrypt or hash out passwords and sensitive information.

5. Applied exception information should give as few hints as possible, preferably using a custom error message to wrap the original error message

Summary article ~~~~~~~~~~

SQL injection, what a professional noun it sounds! It would be bad if someone deliberately hacked into the database because of this loophole. At the same time, there are a variety of people in the search for SQL injection methods, their approach is quite flexible, let us guard against. And our protection can be based on the specific situation of analysis, the construction of clever SQL statements, so that the successful protection of SQL injection database is the master and "rookie" difference.