Defense Against SQL Injection Vulnerabilities

Software Security

For a website, the dangers of SQL injection are enormous.

Because the problem lies in the code, it should be solved from the program code. However, many webmasters do not know the code very well. They just download a set of systems from the internet for use. It seems a bit difficult to ask them to change their own code. However, program developers occasionally release some patches, and Webmasters can patch the vulnerabilities through frequent patching.

For those who have the ability to write code, filter all the data received from the client before executing it in SQL statements. In the past, the common practice was to filter parameters that may cause vulnerabilities one by one. However, someone has developed a general SQL Injection Protection System.

The idea is to filter all the data submitted to the page. In fact, the data submitted by SQL injection has a feature that contains SQL statements and Keywords of some SQL languages, for example, strings such as "AND", "UNION", AND "SELECT" can be identified as SQL injection if they exist in the data, instead of using this data as an SQL statement for execution.

The following is the code written by the author based on this idea to imitate the SQL universal anti-injection system:

<%
-------- Definition section ------------------
Dim FangZhuPost, FangZhuGet, FangZhuIn, FangZhuInf, FangZhuXh
Note: Customize the strings to be filtered and separate them with "|". If the reader finds any omissions, add them.
FangZhuIn = "|; | and | (|) | exec | insert | select | union | delete | update | count
| * | % | Chr | mid | master | truncate | char | declare"

FangZhuInf = split (FangZhuIn, "|") Note: Use "|" to separate invalid strings
-------- POST part ------------------
If Request. Form <> "" Then
For Each FangZhuPost In Request. Form Note: The submitted parameters are obtained cyclically.
For FangZhuXh = 0 To Ubound (FangZhuInf) Note: Convert all To uppercase
If Instr (LCase (Request. Form (FangZhuPost), FangZhuInf (FangZhuXh) <> 0 Then
NOTE: If an invalid string exists in the data
Response. Write "<Script Language = JavaScript> alert (do not include
Contains invalid characters. Try to inject !); </Script>"

Response. End
End If
Next
Next
End If
----------------------------------

-------- GET part -------------------
If Request. QueryString <> "Then
For Each FangZhuGet In Request. QueryString
For FangZhuXh = 0 To Ubound (FangZhuInf)
If Instr (LCase (Request. QueryString (FangZhuGet), FangZhuInf (FangZhuXh) <> 0 Then
Response. Write "<Script Language = JavaScript> alert (do not include
Contains invalid characters. Try to inject !); </Script>"

Response. End
End If
Next
Next
End If
%>

Save the code in an asp file, such as fang. asp, and place the fang. asp file in the directory of the page file to be protected. Add a sentence at the beginning of the page to be protected <! -- # Include file = "fang. asp" → save and exit.

Test whether the SQL injection vulnerability can be prevented and submit http: // 127.0.0.1/veryzone/announce. asp in the browser? Id = 16 and 1 = 1, the dialog box 2-73 is displayed, and nothing is displayed.

Figure 2-73 If no invalid characters exist in the parameter, the page can still be displayed normally, as shown in 2-74. Figure 2-74

In this way, the SQL injection vulnerability can be eliminated, but this is not a universal strategy, because the code is "kill", that is, the kind of "kill the mistake and never let it go, if the data entered by the user does need to be input, it will also be treated as an invalid string. There is no better way to solve this problem, you can only enter other strings.

This section describes in detail the prevention methods of SQL injection vulnerabilities, and simulates the anti-injection vulnerability program to write a code to prevent injection vulnerabilities, so as to prevent the emergence of SQL injection vulnerabilities. In the current situation, no one can find a way to break through this code. Webmasters can safely use this code for protection.