SQL injection attacks and Prevention

1. What is SQL injection?
1. Definition of SQL Injection
SQL Injection usesProgramSQL vulnerabilities and attack methods.

2. SQL Injection example
1) use SQL syntax errors to obtain the structure information of database tables:
To successfully launch an attack, attackers need to know which table and column are available. The default behavior of SQL Server is to return an error message when an incorrect query is run.

For example, if an attacker enters the username "'having 1 = 1; --", the database returns the table name andCodeQuery the error message in the first column;

The group by statement further determines the column in the query: "'group by table name. Column name having 1 = 1 ;--",

The database returns the next column in the query. Attackers can attach the group by statement until they no longer receive the error message.
2) obtain the database content:
Attackers can use the transformed error message to obtain data stored in the database,

For example, enter the username: "'Union select Min (username), 1 from users where username> 1 ;--",

The database returns the first user name in the table.

Attackers can use the same SQL injection, replace username with password to get the password of the user account, and so on, and obtain each record in the database table.
3) Use '-- or' or 1 = 1 -- shorten query Conditions
Select username from users
Where username = 'admin' -- 'and Password = '201312'
4) modify the database table content:
The attacker ends a query statement using ';' and then attaches a destructive SQL statement,

For example, "'; delete from accounts" or "'; insert into users (......)".
Select username from users
Where username = 'admin'; drop table users --'
And Password = '000000'
5) access the operating system through SQL
Select username from users
Where username = 'admin'; Exec xp_cmdshell 'net user haker 123456/add' -- 'and Password = '123'

 
Ii. How to Prevent SQL Injection
1. Avoid splicing SQL
2. Use stored procedures
3. Use parameterized SQL
Sqlparameter can check the type and length and automatically escape user input.
Select username from users where username = @ username
And Password = @ Password
4. length limit
5. input verification and type check
Select title from news where id = 123; delete from news
6. filter or escape dangerous characters
Inputsql. Replace ("'","''");
'; --/**/XP _
7. handle errors on the server:
Successful SQL injection attacks do not necessarily result in errors. The resulting SQL injection is usually a precursor to attacks when attackers collect database information.

Handle errors in try. Catch... finally;
<Compilation DEBUG = "false"/>;
<Customerrors mode = "remoteonly"/>.
8. The minimum permissions of the database account used by the program