Introduced:
SQL is a structured query language for relational databases. It is divided into many species, but most are loosely rooted in the latest standard SQL-92 of the national standardization Organization. A typical execution statement is query, which collects records that are more compliant and returns a single result set. The SQL language can modify the database structure (data definition language) and manipulate the database content (data manipulation language). In this document, we will discuss in particular the Transact-SQL language used by SQL Server.
When an attacker is able to manipulate data into the application by inserting a series of SQL statements into query, we define this method as SQL injection.
A typical SQL statement is as follows:
Select Id,forename,surname from Authors
This statement returns the Id,forename and surname columns for all rows in the authors table. This result can be limited, for example:
Select id,forename,surname from authors where forename ' John ' and Surname= ' Smith '
The need to highlight the string ' John ' and ' Smith ' are enclosed in quotation marks. Specifically, the forename and surname fields are restricted by user-supplied input, and attackers can inject some SQL statements into the query by entering values.
As follows:
Forename:jo ' HN
Surname:smith
The query statement becomes:
Select id,forename,surname from authors where forename= ' Jo ' hn ' and Surname= ' Smith '
When the database attempts to execute the query, it returns the following error:
SERVER:MSG 170, State 1, line 1
Line 1:incorrect syntax near ' HN '
The reason for this result is the insertion of the. Single quotation mark as a delimiter. The database tried to execute ' hn ', but failed. If the attacker provides special input such as:
Forename:jo ';d ROP table authors-
Surname:
The result is that the authors table is deleted and the reason for this is that we'll talk about it later.
It looks like you can solve this problem by removing single quotes from the input or by avoiding them in some way. This is possible, but there are several difficulties in doing so in this way. First, not all user-supplied data are strings. If the user is typing through the user ID to query author, then our query should look like this:
Select id,forename,surname from authors where id=1234
In this case, an attacker can simply add SQL statements at the end of a number, use a variety of qualifying symbols in other versions of the SQL language, and in the database management system jet engine, the data can be qualified with ' # '. Second, avoid single quotes that seem to be possible, but not necessary, and we'll talk about that later.
We further use a simple ASP landing page to identify which access to the SQL Server database and to try to identify access to some fictitious applications.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.
