Common SQL Injection prevention methods

Source: Internet
Author: User
Tags sql injection prevention strong password
Common SQL Injection prevention methods

Common SQL Injection prevention methods

Common SQL Injection prevention methods

Data verification methods can be classified as follows:

1) Sort data to make it effective
2) reject known illegal Input
3) accept only known valid input

Method 1 has many conceptual issues. First, developers do not need to know what illegal data is composed of, because new forms of illegal data may be generated at any time. Second, changing the data will change its length, which will lead to the problem mentioned above. Finally, there is a problem of secondary injection if we need to reuse existing data in the system.

Solution 2 may also encounter some similar problems as solution 1. It is outdated to learn about illegal data because new attack technologies are also developing.

Solution 3 may be the best of the three methods, but it is difficult to execute.

From the security perspective, it may be better to combine solution 2 and 3 to allow only valid input and then look for illegal characters.

An example that must combine the two methods is a problem with the name of a hyphen:

Question Bassington-Bassington

We must allow a hyphen in a valid input, but also understand what the string '--' means in SQL-Server.

Another problem occurs when data collation is combined with illegal character verification. Suppose we apply the "illegal character detector" to detect '--', 'select' and 'Union 'and then use the "data sorting filter" to delete single quotes. Then, attackers can specify the input as follows:

Uni 'on sel 'ect @ version -'-

Because single quotes are deleted by filters, attackers can scatter single quotes on known illegal strings to avoid checking.

The following are some verification code:

Method 1-Avoid single quotes

Function escape (input)
Input = replace (input ,"'","''")
Escape = input
End function

Method 2-resist known illegal Input

Function validate_string (input)
Know_bad = array ("select", "insert", "update", "delete", "drop ","--","'")
Validate_string = true
For I = lbound (know_bad) to ubound (known_bad)
If (instr (1, input, known_bad (I), vbtextcompare) <> 0)
Validate_string = false
Exit function
End if
Next
End function

Method 3-only valid input is allowed

Function validatepassword (input)
Good_password_chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
Validatepassword = true
For I = 1 to len (input)
C = mid (input, I, 1)
If (instr (good_password_chars, c) = 0) then
Validatepassword = false
Exit function
End if
Next
End function


[SQL Server defense]

The most important thing is to prevent SQLServer. 'out of the box' is not safe. Here is a concise list of what to do when creating an SQL-Server architecture:

1. Determine how to connect to the server
A. Verify that the Network library you are using is available using the 'Network ity '.
2. Check which accounts exist
A. Create a low-permission account for the program
B. delete accounts that are not needed
C. Make sure that all accounts have a strong password. Run a password audit script normally (such as one provided in the appendix ).
3. Check which objects exist
A. a lot of extended storage can be safely deleted. If these have been done, consider deleting some dll containing extended storage.
B. Delete All database instances, such as the 'northwind 'and 'pubs' databases.
4. Check which accounts can access objects
A. The account used by the application user to access the database should only have the minimum access permission to the desired object
5. Check the patch status of the server.
A. there are some SQL-Server Buffer Overflow [3], [4] and format string [5] attacks (mostly discovered by the author) and some other security patches, more vulnerabilities may exist.
6. Check what logs are recorded and what logs can be done.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.