Introduction to SQL Injection
SQL injection is one of the more common ways of network attack, it is not the use of operating system bugs to achieve the attack, but the programmer's negligence in programming, through SQL statements, no account login, or even tamper with the database.
Second, the general idea of SQL injection attack
1. Find the location of the SQL injection
2. Determine server type and background database type
3. SQL injection attacks against server and database features
Three, SQL injection attack instance
For example, in a login interface, you need to enter a username and password:
You can enter the implementation without account login:
User name: ' or 1 = A/nbsp
Password
Point Landing, if not to do special treatment, then this illegal user is very proud of landing in the. (Of course, some of the language's database APIs are already dealing with these issues.)
What is this for? Here we analyze:
In theory, the background authentication program will have the following SQL statements:
String sql = "SELECT * from User_table where username=
' +username+ ' and password= ' "+password+ '";
When you enter the username and password above, the SQL statement above becomes:
SELECT * from User_table WHERE username=
' or 1 = 1–and password= '
To parse an SQL statement:
After the condition username= "or 1=1 username equals" or 1=1 then this condition is bound to succeed;
Then add two--this means the annotation, which will comment on the following statements, so that they do not work, so that the statement can always be executed correctly, the user easily fooled the system, access to legal identity.
It's still more gentle, if it's enforced.
SELECT * from User_table WHERE
Username= ";D rop DATABASE (DB Name) – ' and password= '
.... The consequences could be imagined ...
Iv. Ways of coping
Let me say something about the JSP:
1. (Simple and effective method) PreparedStatement
With a precompiled statement set, it has the ability to handle SQL injection, as long as it uses its Setxxx method to pass values.
Use benefits:
(1). The readability and maintainability of the code.
(2). PreparedStatement the most possible performance improvements.
(3). The most important point is to greatly improve the security.
Principle:
SQL injection only destroys the preparation (compilation) process of SQL statements
And the PreparedStatement is ready, the execution phase just takes the input string as data processing,
SQL statements are no longer parsed, prepared, and therefore SQL injection issues are avoided.
2. Using regular expressions to filter incoming parameters
Packages to introduce:
Import java.util.regex.*;
Regular expression:
Private String Checksql = "^ (. +) \sand\s (. +) | (. +) \sor (. +) \s$ ";
To determine whether or not to match:
Pattern.matches (CHECKSQL,TARGERSTR);
The following are the specific regular expressions:
Regular expression to detect SQL Meta-characters:
/(\%27) | (\ ') | (–) | (\%23) | (#)/ix
Fixed regular expression to detect SQL Meta-characters:/((\%3d) | ( =)) [^\n]* (\%27) | ( \ ') | (–) | (\%3b) | (:))/I
Regular expression of a typical SQL injection attack:/\w* (\%27) | ( \)) ((\%6f) |o| (\%4f)) ((\%72) |r| (\%52)) /ix
Detection of SQL injection, union query keyword Regular expression:/((\%27) | ( \)) Union/ix (\%27) | (\’)
Regular expression to detect an MS SQL Server SQL injection attack:
/exec (\s|+) + (s|x) P\w+/ix
Wait a minute.....
3. String filter
One of the more common methods:
(| | The parameters between can be added according to their own program needs.
public static Boolean Sql_inj (String str)
{
String inj_str = "' |and|exec|insert|select|delete|update|
count|*|%| chr|mid|master|truncate|char|declare|;| Or|-|+|, ";
String inj_stra[] = Split (Inj_str, "|");
for (int i=0 i < inj_stra.length; i++)
{
if (Str.indexof (Inj_stra[i]) >=0)
{
return true;
}
}
return false;
}
The function is called in 4.jsp to check whether or not to wrap the letter illegal characters
Prevent SQL from being injected from the URL:
Sql_inj.java Code:
Package Sql_inj;
Import java.net.*;
Import java.io.*;
Import java.sql.*;
Import java.text.*;
Import java.lang.String;
public class sql_inj{
public static Boolean Sql_inj (String str)
{
String inj_str = "' |and|exec|insert|select|delete|update|
count|*|%| chr|mid|master|truncate|char|declare|;| Or|-|+|, ";
The stuff here can also be added by yourself
String[] Inj_stra=inj_str.split ("\|");
for (int i=0 i < inj_stra.length; i++)
{
if (Str.indexof (Inj_stra[i]) >=0)
{
return true;
}
}
return false;
}
}
5.JSP Page judgment Code:
Using JavaScript to Fu Shi the client with unsafe characters
Feature Description: Check if "'", "\", "/"
Parameter description: The string to check
Return value: 0: is 1: not
The name of the function is
function Check (a)
{
return 1;
FIBDN = new Array ("'", "\", "/");
I=fibdn.length;
J=a.length;
for (ii=0; ii
{for (jj=0; jj
{Temp1=a.charat (JJ);
TEMP2=FIBDN[II];
if (TEM '; p1==temp2)
{return 0;}
}
}
return 1;
}
===================================
In general, it's OK to guard against a normal SQL injection just by doing some work on the code specification.
Where there are variables involved in executing SQL, use JDBC (or other data persistence layer) to provide such as: PreparedStatement can be, remember not to use the method of stitching strings.