SQL injection attacks

SQL injection attacks

An SQL injection attack is where An attacker inserts a SQL command into a Web form's domain or page request query string, tricking the server into executing a malicious SQL command.

in some forms, user-entered content is used directly to construct a state of understanding SQL commands, or as input parameters to stored procedures, such forms are particularly susceptible to SQL injection attacks.

because SQL injection attacks exploit legitimate SQL statements so that such attacks cannot be checked out by firewalls, and are particularly harmful because they are applicable to any database based on the SQL language standard.

　　Prevent methods of SQL injection attacks:

1) Validate the user input ( using regular Expressions ) and replace it before constructing the SQL command with the contents of the form input .

For example, to replace single quotes, change all individual occurrences of single quotes to two single quotes to prevent attackers from modifying the meaning of the SQL command.

2) Avoid the use of an interpreter, in which an attacker generally executes an illegal order.

3) The query string, the user login name, password, etc. to encrypt processing.

4) Remove all hyphens from user input to prevent attackers from gaining access.

5) Restrict permissions to the database account that is used to execute the query.

6) Use stored procedures to execute all queries.

7) Check the legality of user input and make sure that the input content contains only valid data. data checks should be performed on both the client and server side.

8) Check the number of records returned by the query that extracted the data.

SQL injection attacks