Asp. NET prevention of SQL injection attack method

Source: Internet
Author: User
Tags sql injection attack
First, what is SQL injection-type attack?





A SQL injection attack is a query string that an attacker inserts a SQL command into the input domain or page request of a Web form, tricking the server into executing a malicious SQL command. In some forms, user-entered content is used directly to construct (or influence) dynamic SQL commands, or as input parameters to stored procedures, which are particularly susceptible to SQL injection attacks. Common SQL injection attack process classes such as:



⑴ an ASP. NET Web application has a login page that controls whether the user has access to the app and asks the user to enter a name and password.



The content entered on the ⑵ login page will be used directly to construct a dynamic SQL command, or directly as a parameter to a stored procedure. Here is an example of an ASP. NET application construct query:


System.Text.StringBuilder query = new System.Text.StringBuilder(
 "SELECT * from Users WHERE login = '")
 .Append(txtLogin.Text).Append("' AND password='")
 .Append(txtPassword.Text).Append("'");





⑶ the attacker enters "' or ' 1 ' = ' 1" in the user name and password input box.



After the ⑷ user input is submitted to the server, the server runs the above ASP. NET code constructs the SQL command to query the user, but because the attacker enters a very special content, the resulting SQL command becomes: SELECT * from Users WHERE login = ' or ' 1 ' = ' 1 ' and password = ' or ' 1 ' = ' 1 '.



The ⑸ server executes a query or stored procedure that compares the identity information entered by the user with the identity stored in the server.



⑹ because the SQL command has actually been modified by an injected attack, it has not been able to actually authenticate the user, so the system is incorrectly authorized to the attacker.



If an attacker knew that the app would use the input in the form to authenticate the query directly, he would try to enter some special SQL string tampering query to change its original functionality and spoof the system to grant access.



The system environment is different, the attacker may cause different damage, which is mainly determined by the security permissions of the application to access the database. If the user's account has administrator or other advanced privileges, an attacker could perform various actions on the database's tables, including adding, deleting, or updating data, and possibly even deleting the table directly.



Second, how to prevent?



Fortunately, it is not particularly difficult to prevent an ASP. NET application from being hacked into by a SQL injection attack, as long as all the input is filtered before the SQL command is constructed using the form's input content. Filtering input can be done in a variety of ways.



⑴ for dynamically constructing SQL queries, you can use the following techniques:



First: Replace single quotation marks, that is, all individual occurrences of single quotation marks are changed to two single quotes, to prevent the attacker to modify the meaning of the SQL command. Take another look at the previous example, "SELECT * from users WHERE login = ' or ' 1 ' = ' 1 ' and password = ' ' or ' 1 ' = ' 1 '" will obviously get with "select * from Users WHERE login = ' or ' 1 ' = ' 1 ' and password = ' or ' 1 ' = ' 1 ' "different results.



Second: Delete all hyphens in user input to prevent attackers from constructing classes such as "SELECT * from users where login = ' mas '--and Password = '", because the second half of this type of query has been commented out, is no longer valid, attacks If you know a legitimate user login name, you do not need to know the user's password to gain access to the smooth.



Third: Restrict permissions for the database account that is used to execute the query. Perform query, insert, UPDATE, and delete operations with different user accounts. Because of the isolation of operations that can be performed by different accounts, the place used to execute the SELECT command is prevented from executing the INSERT, UPDATE, or delete commands.



⑵ uses a stored procedure to execute all queries.



The way SQL parameters are passed prevents attackers from using single quotes and hyphens to enforce attacks. In addition, it allows database permissions to be restricted to only certain stored procedure executions, and all user input must follow the security context of the stored procedure being called, making it difficult to inject attacks again.



⑶ limit the length of the form or query string input.



If a user's login name is at most 10 characters, do not endorse more than 10 characters entered in the form, which greatly increases the difficulty of an attacker inserting harmful code into a SQL command.



⑷ checks the legality of user input and is confident that the input contains only valid data.



Data inspection should be performed on both the client and server side-the reason for server-side validation is to compensate for the fragile security of the client authentication mechanism.



At the client, it is entirely possible for an attacker to obtain the source code of the Web page, modify the script that validates the legitimacy (or delete the script directly), and then submit the illegal content to the server through the modified form. Therefore, the only way to ensure that the validation operation is actually performed is to perform validation on the server side. You can use many of the built-in validation objects, such as RegularExpressionValidator, which automatically generate client-side scripts for validation, and you can also insert a method call from the server. If you cannot find a ready-made validation object, you can create one by CustomValidator yourself.



⑸ saves data such as user login name, password, and so on.



Encrypt the data entered by the user and compare it to the data saved in the database, which is equivalent to "disinfect" the data entered by the user, and the data entered by the user no longer has any special meaning to the database, thus preventing the attacker from injecting SQL commands. The System.Web.Security.FormsAuthentication class has a hashpasswordforstoringinconfigfile that is ideal for disinfecting input data.



⑹ checks the number of records returned by the query that extracted the data.



If a program requires only one record to be returned, but the actual returned record exceeds a row, it is treated as an error.



The above is the method of ASP. NET to prevent SQL injection attack, hope to be helpful to everybody's study.


Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.