Introduction to SQL injection: SQL injection, by inserting a SQL command into a Web form to submit or entering a query string for a domain name or page request, eventually achieves a malicious SQL command that deceives the server. Specifically, it is the ability to inject (malicious) SQL commands into the background database engine execution using existing applications, which can be obtained by entering (malicious) SQL statements in a Web form to a database on a Web site that has a security vulnerability, rather than executing the SQL statement as the designer intended.
SQL injection Method:
First, stitching the string (enter the SQL statement via the input box to change the original intent)Select * from t_user where UserID = ' txtuserid.text ' andpassword= ' txtPassword.Text '
The principle is to grant access by looking for the result of the user name (UserID) and password (Password) in the T_user table, and in Txtuserid.text for Mysql,txtpassword.text to Mary, the SQL query statement is:
Select * from users where username = ' MySQL ' and password = ' Mary '
If Txtuserid.text and txtPassword.Text are assigned the value ' or ' 1 ' = ' 1 '--and ABC, respectively. The above statement in the SQL script interpreter will then change to:
Select * from t_user where UserID = ' or ' 1 ' = ' 1 '--and Password = ' abc '
Two conditions are judged in the statement, and if a condition is true, the execution succeeds. The ' 1 ' = ' 1 ' is constant in logical judgment, and the following "--" indicates a comment, that is, all the statements that follow are comment statements so that we can log in successfully. That is, SQL injection succeeds.
Original SQL statement: INSERT into category values (' "+caname+")
Input box input: caname= Entertainment News ') Select Category--')
The SQL statement becomes: INSERT into category (name) values (' Entertainment News ') Select category--')
After the SQL statement changes, inserting and querying two operations will be performed (if the modification is not a query but the deletion will be more frightening), that is, SQL injection succeeds.
Second, look at the error page information (SQL Server has some system variables, if we do not limit the output of error messages, then injected can be directly from the error message to get) URLs in the Web: http://www.xxx.com/Login.aspx?id=49 and user>0 First, the preceding statement is normal, with emphasis on and user>0, we know, User is a built-in variable for SQL Server whose value is the user name of the current connection, and the type is nvarchar. Take a nvarchar value compared with the number of int 0, the system will first try to convert the value of nvarchar to int, of course, the process will certainly error, SQL server error is: The nvarchar value "ABC" Conversion data type int Syntax error occurred in the column, ABC is the value of the variable user, so that the injected to get the database user name, that is, SQL injection succeeds.
SQL injection Prevention:
First, simple precautions: 1. Limit special characters and lengths in the input box
Setting the error prompt page in 2.Web is:
Set in the Web. config file
<!--automatic orientation when errors occur ("~/error.html" is the path to the popup page)--
<customerrors mode= "on" defaultredirect = "~/error.html" ></customErrors>
3.URL rewrite:
URL rewriting is the process of first getting a URL request to enter and then rewriting it to another URL that the site can handle. For example, if the URL that comes in through the browser is "userprofile.aspx?id=1" then it can be rewritten as "userprofile/1.aspx"
II. Precautions in SQL statements 1. Parameterized queries: Parameterized queries (parameterized query or parameterized Statement) refer to the use of parameters (Parameter) to give values when designing a link to a database and accessing data, where values or data need to be populated.
For example:
Do not use parameterized queries:
String sql = "SELECT * from comment where newsId =" Txtnewsid "ORDER by createtime Desc";
Because the "Txtnewsid" in the SQL statement above is indeterminate, the SQL statement needs to be recompiled each time it is called, which enables SQL injection with the concatenation string above.
To use parameterized queries:
String sql = "SELECT * from comment where newsId = @newsId ORDER BY createtime Desc";
Sqlparameter[] Paras = new sqlparameter[]{new SqlParameter ("@newsId", NewsId)};
Because the SQL statement above is fixed, the call only needs to pass the value of the @newsid, so even if the user input any information will be passed in as a value to prevent SQL injection.
2. Through the write stored procedure:
In fact, in the stored procedure also needs to use the parameterized query and the stored procedure itself does not have SQL injection two points to meet to prevent SQL injection.
3. Restrict access to the database:
Set up special permissions for different users, such as: User Name 1 users only allow the query operation, but the user 1 of the information is stolen after the login can not do other operations on the table, so that the security of the data to a certain extent.
Copyright NOTICE: This article for Bo Master original article, without Bo Master permission not reproduced.
SQL Injection and prevention