Application System Security reinforcement-SQL Injection prevention Solution

Source: Internet
Author: User
Tags md5 digest sql injection prevention

Some time ago, I developed a performance appraisal knowledge management system for IT system maintenance personnel under the arrangement of the leaders. After the system went online, the system was properly tuned several times. Unfortunately, the good time is always too short. In February, the Group sent domestic security vendors to scan enterprise information system security, the system is found to have the SQL injection vulnerability, database Elevation of Privilege Security vulnerability, and security risks of uploading plaintext passwords and attachments. The leader made security rectification for the system within a time limit, so the author made a series of security reinforcement for the system to work overtime. The solution for SQL injection vulnerabilities is to first perform illegal character verification when you perform system operations. 2) database Elevation of Privilege Vulnerability: 1. Separate the database system account from the application account to create the account to be accessed by the application. 2. Reduce the permissions and set the specified IP address to remotely access the database. 3) encrypt and save user passwords; 4) Upload attachments are verified by blacklists and converted to whitelists. The related code is as follows: 1. The anti-SQL Injection code is as follows (users who need to copy the code and compile it in their own project and then call it to easily implement anti-SQL injection): package action; public class StringUtil {public StringUtil (){
} Public static String replace (String str, String substr, String restr ){
String [] tmp = split (str, substr );
String returnstr = null;
If (tmp. length! = 0 ){
Returnstr = tmp [0];
For (int I = 0; I <tmp. length-1; I ++)
Returnstr = dealNull (returnstr) + restr + tmp [I + 1];
}
Return dealNull (returnstr );
} Public static String [] split (String source, String div ){
Int arynum = 0, intIdx = 0, intIdex = 0, div_length = div. length ();
If (source. compareTo ("")! = 0 ){
If (source. indexOf (div )! =-1 ){
IntIdx = source. indexOf (div );
For (int intCount = 1; intCount ++ ){
If (source. indexOf (div, intIdx + div_length )! =-1 ){
IntIdx = source. indexOf (div, intIdx + div_length );
Arynum = intCount;
} Else {
Arynum + = 2;
Break;
}
}
} Else
Arynum = 1;
} Else
Arynum = 0; intIdx = 0;
IntIdex = 0;
String [] returnStr = new String [arynum]; if (source. compareTo ("")! = 0) {if (source. indexOf (div )! =-1) {intIdx = (int) source. indexOf (div );
ReturnStr [0] = (String) source. substring (0, intIdx); for (int intCount = 1; intCount ++ ){
If (source. indexOf (div, intIdx + div_length )! =-1 ){
IntIdex = (int) source
. IndexOf (div, intIdx + div_length); returnStr [intCount] = (String) source. substring (intIdx
+ Div_length, intIdex); intIdx = (int) source. indexOf (div, intIdx + div_length );
} Else {
ReturnStr [intCount] = (String) source. substring (intIdx
+ Div_length, source. length ());
Break;
}
}
} Else {
ReturnStr [0] = (String) source. substring (0, source. length ());
Return returnStr;
}
} Else {
Return returnStr;
}
Return returnStr;
} Public static boolean SQL _inj (String str ){
String inj_str = "'| and | exec | insert | select | delete | update | count | * | % | chr | mid | master | truncate | char | declare |; | or |-| + | ,";
String inj_stra [] = split (inj_str, "| ");
For (int I = 0; I <inj_stra.length; I ++ ){
If (str. indexOf (inj_stra [I])> = 0 ){
Return true;

}
}
Return false;
} Private static String dealNull (String str ){
String returnstr = null;
If (str = null)
Returnstr = "";
Else
Returnstr = str;
Return returnstr;
} // Public static void main (String [] args ){
// If (SQL _inj ("test'' ") = true)
// System. out. println ("invalid character ");
// Else
// System. out. println ("the input content is valid ");
//
//}
} 2. MD5 encryption code: package action; import java. security. MessageDigest ;/**
* <P>
* Title: MD5 encryption and Verification
* </P>
*
* <P>
* Description:
* </P>
*
* <P>
* Copyright: Copyright (c) 2006
* </P>
*
* <P>
* Company:
* </P>
*
* @ Author not attributable
* @ Version 1.0
*/
Public class MD5 {
Public MD5 (){
}/**
* MD5 encryption Computes the MD5 fingerprint of a string.
*
* @ Return the MD5 digest of the input <code> String </code>
*/
Public static String compute (String inStr ){
MessageDigest md5 = null;
Try {
Md5 = MessageDigest. getInstance ("MD5 ");
} Catch (Exception e ){
System. out. println (e. toString ());
E. printStackTrace ();
Return "";
}
Char [] charArray = inStr. toCharArray ();
Byte [] byteArray = new byte [charArray. length]; for (int I = 0; I <charArray. length; I ++ ){
ByteArray [I] = (byte) charArray [I];
} Byte [] md5Bytes = md5.digest (byteArray); StringBuffer hexValue = new StringBuffer (); for (int I = 0; I <md5Bytes. length; I ++ ){
Int val = (int) md5Bytes [I]) & 0xff;
If (val <16 ){
HexValue. append ("0 ");
}
HexValue. append (Integer. toHexString (val ));
} Return hexValue. toString ();
}/**
* MD5 Verification
*
* @ Param compareStr
* String to be compared
* @ Param md5Str
* String encrypted String
* @ Return boolean true is returned for verification. Otherwise, false is returned.
*/
Public static boolean compare (String compareStr, String md5Str ){
String computeStr = compute (compareStr );
If (computeStr. equals (md5Str )){
Return true;
} Else {
Return false;
}
} Public static void main (String [] args ){
System. out. println ("aa: =" + compute ("aa "));
System. out. println (compare ("aa", "4124bc0a9335c27f086f24ba207a4912 "));
}}

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.