Common methods for SQL anti-injection

Methods of data validation can be categorized into the following types:

1 The data to make it effective
2 Reject known illegal input
3 Accept only known valid input

Method 1 has many conceptual problems; First, it is not necessary for developers to know what illegal data is made of, since new forms of illegal data can be created at any time. Second, changing the data will change its length, which can lead to the problem mentioned earlier. Finally, there are two injections of data that need to be reused for the system.

Solution 2 also encounters some of the same problems as 1, knowing that illegal data is obsolete because new attack technologies are also evolving.

Solution 3 may be the best of the three methods, but it is more difficult to implement.

From a security perspective it may be best to combine solutions 2 and 3 to allow only legitimate input and then search for illegal characters.

An example that must combine these two approaches is the problem with a hyphen name:

Question Bassington-bassington

We have to allow hyphenation in legitimate input, but we also need to understand what the string '--' means in sql-server.

Another problem occurs when data collation combines illegal character validation. Suppose we use the "illegal character detector" to detect '--', ' Select ' and ' Union ', and remove single quotes using the data collation filter, an attacker can specify such input:

Uni ' on sel ' ect @ @version-'-

Because single quotes are removed by the filter, an attacker can evade checking by scattering single quotes in its known illegal string.

Here are some of the validated code:

Method 1-Dodge single quotes

function Escape (Input)
input = replace (input, "'", "" ")
Escape = input
End Function

Method 2-Reject known illegal input

function validate_string (input)
Know_bad = Array ("Select", "Insert", "Update", "delete", "drop", "--", "")
Validate_string = True
For i = LBound (Know_bad) To UBound (Known_bad)
if (InStr (1, input, Known_bad (i), vbTextCompare) <> 0)
Validate_string = False
Exit function
End If
Next
End Function

Method 3-only valid input allowed

function ValidatePassword (input)
Good_password_chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
ValidatePassword = True
For i = 1 to len (input)
c = Mid (input, I, 1)
if (InStr (Good_password_chars, c) = 0) Then
ValidatePassword = False
Exit function
End If
Next
End Function

[SQL Server Defense]

The most important thing is to guard against SQL Server, the ' out of the box ' is not safe. Here's a concise list of things to do when creating a Sql-server architecture:

1. Decide how to connect to the server
A. Use ' Network Utility ' to verify that the network library you are using is available
2. Check which accounts exist
A. Create a low privilege account for a program
B. Deleting unwanted accounts
C. Ensure that all accounts have a robust password; In a normal run a password audit script (as provided in the appendix).
3. Check which objects exist
A. Many extended stores can be safely deleted if these have been done consider deleting some DLLs that contain extended storage
B. Delete all database instances-such as ' Northwind ' and ' pubs ' database
4. Check which accounts can access the object
A. The account number of the Access database used by the application user should have minimal access to the desired object
5. Check the server patch status
A. There are some buffer overflows for sql-server [3],[4] and format string [5] attacks (mostly by the authors themselves) and some other security patches, and there may be more vulnerabilities
6. Check what the log records, and what the log can do.