Prevent SQL injection attacks
Michael otey All relational databases, including SQL Server, Oracle, IBM DB2, and MySQL, are vulnerable to SQL injection attacks. You can buy some products to protect your system from SQL injection attacks, but in most businesses, the prevention of SQL injection must be based on Code Level. SQL injection attacks mainly come from Web Applications Program Converts users' input containing dynamic SQL code into SQL commands for database execution. You can take the following four important steps to protect your web applications from attacks. In addition, the msdn model and training I emphasized last month also put forward some suggestions for protecting database-driven Web applications.
4. Minimum power law
The account used by the application to connect to the database should have only the necessary privileges, which helps protect the entire system from as few as possible intruders. The application should not use the SA or administrator account to connect to the database. As an alternative, it should only have the power to access a single library that it wants to call.
3. Verify all input
If an input box only contains numbers, verify that the user inputs a number. If the letter is acceptable, check whether there are unacceptable characters. Make sure that your application checks the following characters: semicolons, equal signs, broken signs, Parentheses, and SQL keywords .. Net Framework provides regular expressions for complex pattern matching. It is also a good idea to limit the length of characters entered by users. It is required to verify user input, because intruders can use the open web to launch SQL injection attacks on applications.
2. Avoid dynamic SQL statements
Dynamic SQL statements are powerful tools for database queries. However, mixing them with user input makes SQL Injection possible. Replacing dynamic SQL statements with pre-compiled SQL statements or stored procedures is feasible for most applications. Pre-compiled SQL statements or stored procedures can receive user input as parameters rather than SQL commands, which limits the actions of intruders. Of course, it does not apply to the use of user input to generate SQL commands in your stored procedures. In this case, the SQL commands entered by the user may still be executed, and your database may still be vulnerable to SQL injection attacks.
1. Double quotation marks
Double quotation marks are used to replace the single quotation marks entered by all users. This simple precaution will prevent SQL injection attacks in a large program, it may give unnecessary power to the inner. Replacing single quotes with double quotes can cause many SQL injection attacks to fail.
First Translation Article Don't be surprised when it's not good :)
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.