Injection method:
In theory, the Certification Web page will have a type such as:
SELECT * from admin where username= ' XXX ' and password= ' YYY ' statement, it is easy to implement SQL injection if the necessary character filtering is not done before the sentence is formally run.
If you type in the User name text box: ABC ' or 1=1--in the Password box: 123 The SQL statement becomes:
SELECT * from admin where username= ' abc ' or 1=1 and password= ' 123 ' regardless of user input any user name and password, this statement can always execute correctly, users easily fooled the system, access to legal identity.
Guessing solution:
The basic idea is: guess all the database tutorial name, guess every table in the library name, analysis may be stored user name and password table name, guess the table of each field name, guess the table of each record content.
There is also a way to get your database name and the name of each table.
is through in the shape such as: http://www. . cn/news?id=10 ' Way to get your database name and table name by Error!
For the JSP tutorial, we generally take a strategy to deal with:
1, PreparedStatement
If you are already a slightly level developer, you should always replace statement with PreparedStatement.
Here are a few reasons
1, the code readability and maintainability.
2, PreparedStatement to the greatest possible increase in performance.
3, the most important point is to greatly improve the security.
So far, there are some people (including himself) who don't even know the basic semantics of the SQL syntax.
String sql = "SELECT * from Tb_name where name= '" +varname+ "' and passwd= '" +varpasswd+ "";
If we enter [' or ' 1 ' = ' 1] as name. What will it be if the password is random?
SELECT * from tb_name = ' or ' 1 ' = ' 1 ' and passwd = ' random ';
Because ' 1 ' = ' 1 ' is definitely set up, so can any pass validation. What's worse:
Put [';d rop table tb_name;] Passed in as a varpasswd, then:
SELECT * from tb_name = ' random ' and passwd = ';d rop table tb_name; some databases won't make you successful, but there are a lot of databases that can get these statements executed.
And if you use precompiled statements. Anything you pass in will not have any matching relationship with the original statement. (provided that the database itself supports precompilation, there may not be any server-side databases that do not support compilation, and only a handful of desktop databases, that is, direct file access--you don't have to worry about incoming data if you use precompiled statements entirely. And if you use ordinary statement, It is possible to make a very determined and misplaced decision about the drop.
2, Regular expression
2.1, the detection of SQL meta-characters Regular expression/(%27) | (') | (--)| (%23) | (#)/ix
2.2. Revise the regular expression of SQL Meta-characters/((%3d) | ( =)) [^n]* (%27) | (--)
| (%3b) | (:))/I
2.3, a typical SQL injection attack regular expression/w* ((%27) | (')) ((%6f) |o| (%4f)) ((%72) |r| (
%52))/ix
2.4, detection of SQL injection, union query keyword regular expression/((%27) | (')) Union/ix (%27) | (')-single
The quotation mark and its hex equivalent union-union keyword.
2.5. Regular expression/exec (s|+) + (s|x) for detecting MS SQL Server SQL injection attacks Pw+/ix
3. String filter
public static string Filtercontent (string content) {
String flt = "' |and|exec|insert|select|delete|update|count|*|%
|chr|mid|master|truncate|char|declare|;| Or|-|+|, ";
Stringfilter[] = flt.split ("|");
for (int i=0;i<filter.length; i++)
{
Content.replace (Filter[i], "");
}
return content;
}
4, unsafe word Fu Shi cover
This part of the use of JS to screen, the role is very small, so using the method of shielding keyword although there is a role, but in the actual application of these SQL keywords may become a real query keyword, to that is you blocked the user is not normal use. Just go up and down the code specification.
Where there are variables involved in executing SQL, use JDBC (or other data persistence layer) to provide such as: PreparedStatement can be, remember not to use the method of stitching strings.
Feature Description: Check if "'", "\", "/"
Parameter description: The string to check
Return value: 0: is 1: not
The name of the function is
function Check (a)
{
return 1;
FIBDN = new Array ("'", "\", "/");
I=fibdn.length;
J=a.length;
for (ii=0;ii<i;ii++)
{for (jj=0;jj<j;jj++)
{Temp1=a.charat (JJ);
TEMP2=FIBDN[II];
if (TEM ';p 1==temp2)
{return 0; }
}
}
return 1;
}