1. What is SQL injection attacks?
The so-called SQL injection attack means that an attacker inserts an SQL command into the input field of a web form or the query string requested by the page, and deceives the server to execute malicious SQL commands. In some forms, the content entered by users is directly used to construct (or affect) dynamic SQL commands or as input parameters of stored procedures. Such forms are particularly vulnerable to SQL injection attacks. Common SQL injection attacks include:
(1) An ASP. NET web application has a logon page that controls whether the user has the right to access the application. It requires the user to enter a name and password.
Webjx. com
(2) The content entered on the logon page is directly used to construct dynamic SQL commands, or directly used as parameters of stored procedures. The following is an example of constructing a query for an ASP. NET application:
System. Text. stringbuilder query = new system. Text. stringbuilder ("select * from users where login = '"). Append (txtlogin. text ). Append ("'and Password = '"). Append (txtpassword. text ). Append ("'");
Webjx. com
(3) The attacker enters "'or '1' = '1" in the username and password input boxes.
Webjx. com
(4) After the content entered by the user is submitted to the server, the server runs the above ASP. NETCodeConstruct the SQL command to query the user. However, because the content entered by the attacker is very special, the final SQL command is changed: select * from users where login = ''or '1' = '1' and Password ='' or '1' = '1 '.
The login server performs queries or stored procedures to compare the user-entered identity information with the identity information stored on the server.
Because SQL commands have been modified by injection attacks and cannot actually authenticate user identities, the system will incorrectly authorize attackers.
If the attacker knows that the application will directly use the content entered in the form for identity authentication queries, he will try to input some special SQL strings to tamper with the query and change its original function, the spoofing system grants access permissions.
Webjx. com
The system environment is different, and attackers may cause different damages, which is mainly determined by the security permissions of the application to access the database. If the user's account has administrator or other advanced permissions, attackers may perform various operations on the database table, including adding, deleting, or updating data, you may even directly Delete the table.
2. How to prevent such attacks?
Webpage tutorial Network
Fortunately, Asp. it is not particularly difficult for a net application to be intruded by SQL injection attacks. You only need to filter all input content before using the content entered in the form to construct an SQL command. You can filter the input content in multiple ways.
(1) The following technology can be used to dynamically construct SQL queries: webjx. com
First, replace the single quotation marks (single quotes) to change all single quotes to two single quotes to prevent attackers from modifying the meaning of SQL commands. Let's take a look at the previous example, "select * from users where login = '''' or ''1'' = ''1' and Password = '''' or ''1'' = ''1 '" obviously, different results will be obtained from "select * from users where login ='' or '1' = '1' and Password = ''or '1' = '1.
Webpage tutorial Network
2. delete all the characters in user input to prevent attackers from constructing queries such as "select * from users where login = 'mas '-- And Password =, because the second half of this type of query has been commented out and is no longer valid, attackers only need to know a valid user logon name and do not need to know the user's password to obtain access permissions.
Webpage tutorial Network
Third: restrict the permissions of the database account used to execute the query. Query, insert, update, and delete operations with different user accounts. The operations that can be performed by different accounts are isolated, which prevents the places where the SELECT command was originally used to execute the insert, update, or delete command.
(2) Use stored procedures to execute all queries. The SQL parameter transmission method prevents attacks by using single quotes and hyphens. In addition, it allows the database permission to be limited to only allow execution of specific stored procedures. All user input must comply with the security context of the called stored procedure, in this way, it is difficult to launch injection attacks again. Webpage tutorial Network
(3) restrict the length of form or query string input. If a user's login name can contain a maximum of 10 characters, do not recognize the 10 or more characters entered in the form. This will greatly increase the difficulty for attackers to insert harmful code in SQL commands.
(4) Check the validity of user input and ensure that the input content only contains valid data. Data check should be performed on both the client and the server-the reason for the server-side verification is to make up for the weak security of the client authentication mechanism.
On the client, attackers can obtainSource code, Modify the script to Verify validity (or directly Delete the script), and then submit the illegal content to the server through the modified form. Therefore, to ensure that the verification operation has been performed, the only way is to perform verification on the server. You can use many built-in verification objects, such as regularexpressionvalidator, which can automatically generate client scripts for verification. Of course, you can also insert server-side method calls. If no existing verification object is found, you can create one by yourself through customvalidator.
Webpage tutorial Network
Encrypt and save user login names, passwords, and other data. Encrypt the data input by the user, and then compare it with the data stored in the database. This is equivalent
The user input data is no longer of any special significance to the database, thus preventing attackers from injecting SQL commands. The system. Web. Security. formsauthentication class has a hashpasswordforstoringinconfigfile, which is very suitable for disinfecting input data.
Explain checks the number of records returned by the query for extracted data. IfProgramOnly one record is required to be returned, but more than one row is actually returned, which is treated as an error.