How does SQL effectively prevent SQL injection?

Source: Internet
Author: User
Tags how to prevent sql injection
This article describes how to prevent SQL injection settings from the database server itself and some parameter filtering methods to prevent SQL injection in the program. For more information, see.

This article describes how to prevent SQL injection settings from the database server itself and some parameter filtering methods to prevent SQL injection in the program. For more information, see.

1. do not use the sa user to connect to the database
2. create a public permission database user and use this user to access the database
3. [role] remove the select access permission of the public role to the sysobjects and syscolumns objects.
4. right-click a [user] user name and choose "properties"> "permissions"> "sysobjects" and "syscolumns"
5. execute the following code in the SQL query analyzer (a failure indicates that the permission is correct. if the permission is displayed, the permission is too high ):

The code is as follows:

DECLARE @ T varchar (255 ),
@ C varchar (255)
DECLARE Table_Cursor CURSOR
Select a. name, B. name from sysobjects a, syscolumns B
Where. id = B. id and. xtype = 'u' and (B. xtype = 99 or B. xtype = 35 or B. xtype = 231 or B. (xtype = 167)
OPEN Table_Cursor
Fetch next from Table_Cursor INTO @ T, @ C
WHILE (@ FETCH_STATUS = 0)
BEGIN print @ c
Fetch next from Table_Cursor INTO @ T, @ C
END
CLOSE Table_Cursor
DEALLOCATE Table_Cursor


When a hacker attacks SQL Server, the first method used is to execute the xp_mongoshell command of the master extended storage process to destroy the database. to ensure database security, it is best to disable xp_mongoshell.

Xp_cmdshell allows the system administrator to execute the specified command string in the operating system command line interpreter,
And returns any output in the form of text lines. it is a very powerful extended storage process.
In general, xp_mongoshell is not necessary for the administrator. the elimination of xp_mongoshell will not cause the Server
Any impact.
You can remove xp_cmdshell:

The code is as follows:
Use Master
Exec sp_dropextendedproc N 'XP _ export shell'
Go

If necessary, you can restore xp_mongoshell back:

The code is as follows:
Use Master
Exec sp_addextendedproc N 'XP _ cmdshell', n'xp log70. dll'
Go

If your database has two tables, D99_Tmp or D99_cmd, you can rest assured.

For example, if your website is developed using PHP + MYSQL (most popular CMS publishing systems currently use PHP ).

1. strengthen the script layer (that is, strengthen anti-injection measures in PHP ). Use the magic_quotes_gpc option of Php. ini. During development, the addslashes, intval, htmlspecialchars, and htmlentities functions are used wherever user input is required, add the javascript anti-injection vulnerability filter function (available filter functions can be found in the eesafe network security communication zone) and PHP anti-injection vulnerability filtering functions (available filtering functions can be found in the eesafe network security communication zone ).

2. strengthen the data layer (that is, strengthen anti-injection measures for databases ). When connecting a website to a database (that is, a connection pool), the user has normal permissions. do not use the account of the super user or database owner. Strictly check the type and format of the submitted data to ensure that the data type meets the requirements. for example, use the mysql database system function isnumberic () to determine whether the value uploaded to the database is a number. In addition, try to use sssl or ssh when connecting to the database.

Asp anti-SQL injection program

The code is as follows:

<%
Dim SQL _injdata
SQL _injdata = "'| and | exec | insert | select | delete | update | count | * | % | chr | mid | master | truncate | char | declare"
SQL _inj = split (SQL _Injdata, "| ")
If Request. QueryString <> "Then
For Each SQL _Get In Request. QueryString
For SQL _Data = 0 To Ubound (SQL _inj)
If instr (Request. QueryString (SQL _Get), SQL _Inj (SQL _DATA)> 0 Then
Response. Write ""
Response. end
End if
Next
Next
End If
If Request. Form <> "" Then
For Each SQL _Post In Request. Form
For SQL _Data = 0 To Ubound (SQL _inj)
If instr (Request. Form (SQL _Post), SQL _Inj (SQL _DATA)> 0 Then
Response. Write ""
Response. end
End if
Next
Next
End if
%>


Use SQL Server database security parameters

To reduce the adverse effects of injection attacks on SQL Server databases, a relatively safe SQL parameter is designed for SQL Server databases. In the database design process, engineers should try to use these parameters to prevent malicious SQL injection attacks.

For example, the SQL Server database provides the Parameters set. This set provides the type check and length verification functions. If the administrator uses the Parameters set, the content entered by the user is considered as a character value rather than executable code. Even if the input content contains executable code, the database filters out the code. At this time, the database only treats it as a common character. Another advantage of using the Parameters set is that you can perform type and length checks forcibly. values outside the range will trigger an exception. If the value entered by the user does not meet the specified type and length constraints, an exception is reported to the administrator. In the above case, if the data type defined by employee number is string type, the length is 10 characters. The user-entered content is also character-type data, but its length is up to 20 characters. In this case, an exception is thrown because the length of the content entered by the user exceeds the length limit of the database field.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.