How to combat and prevent SQL injection attacks

I. Introduction to SQL injection

SQL injection is one of the most common methods of network attack, it is not to exploit the bugs of the operating system to implement the attack, but to neglect the programmer's programming, to realize the login without account and even tamper with the database through SQL statements.

Second, the general idea of SQL injection attack

1. Find the location of the SQL injection

2. Determine server type and background database type

3. SQL injection attacks against non-server and database features

Iii. examples of SQL injection attacks

For example, in a login interface, required to enter the user name and password:

You can enter this to implement a free account login:

User name: ' or 1 =-

Password

Point Landing, if not to do special treatment, then this illegal user is very proud of landing in. (Of course, some languages now have database APIs that address these issues.)

What is this for? Below we analyze:

Theoretically, the following SQL statements are available in the Background authentication program:

String sql = "SELECT * from User_table where username=

' "+username+" ' and password= ' "+password+" ";

When you enter the user name and password above, the SQL statement above becomes:

SELECT * from User_table WHERE username=

' OR 1 = 1--and password= '

Parsing SQL statements:

After the condition username= "or 1=1 user name equals" or 1=1 then this condition will succeed;

And then add two--which means that the comment, which will comment on the following statements, so that they do not work, so that the statement will always be executed correctly, the user easily fooled the system, to obtain legal status.

This is still relatively gentle, if it is performed

SELECT * from User_table WHERE

Username= ';D rop DATABASE (DB Name)--' and password= '

.... The consequences are conceivable ...

Iv. Methods of response

Now I'm talking about the JSP and how to deal with it:

1. (Simple and effective method) PreparedStatement

With a precompiled set of statements, it has the ability to handle SQL injection, as long as it uses its Setxxx method to pass values.

Benefits of Use:

(1). Readability and maintainability of the code.

(2). PreparedStatement the best possible performance improvements.

(3). The most important point is that the security is greatly improved.

Principle:

SQL injection is only destructive to the preparation (compilation) process of SQL statements

And PreparedStatement is ready, the execution phase just takes the input string as data processing,

Instead of parsing and preparing SQL statements, SQL injection problems are avoided.

2. Using regular expressions to filter incoming parameters

Packages to be introduced:

Import java.util.regex.*;

Regular Expressions:

Private String Checksql = "^ (. +) \\sand\\s (. +) | (. +) \\sor (. +) \\s$ ";

To determine whether to match:

Pattern.matches (CHECKSQL,TARGERSTR);

The following is a specific regular expression:

Regular expression for detecting SQL Meta-characters:

/(\%27) | (\ ') | (\-\-)| (\%23) | (#)/ix

Fixed regular expression for detecting SQL Meta-characters:/((\%3d) | ( =)) [^\n]* ((\%27) | ( \ ') | (\-\-)| (\%3b) | (:))/I

Regular expressions for typical SQL injection attacks:/\w* ((\%27) | ( \ ')) ((\%6f) |o| (\%4f)) ((\%72) |r| (\%52)) /ix

Regular expression for detecting SQL injection, union query Keyword:/((\%27) | ( \ ')) Union/ix (\%27) | (\’)

Regular expressions for detecting MS SQL Server SQL injection attacks:

/exec (\s|\+) + (s|x) P\w+/ix

Wait a minute.....

3. String filtering

One of the more common methods:

(| | Parameters can be added according to the needs of your own program)

public static Boolean Sql_inj (String str)

{

String inj_str = "' |and|exec|insert|select|delete|update|

count|*|%| chr|mid|master|truncate|char|declare|;| Or|-|+|, ";

String inj_stra[] = Split (Inj_str, "|");

for (int i=0; I < inj_stra.length; i++)

{

if (Str.indexof (Inj_stra[i]) >=0)

{

return true;

}

}

return false;

}

Call this function in 4.jsp to check if the envelope is not an illegal character

To prevent SQL from being injected from a URL:

Sql_inj.java Code:

Package Sql_inj;

Import java.net.*;

Import java.io.*;

Import java.sql.*;

Import java.text.*;

Import java.lang.String;

public class sql_inj{

public static Boolean Sql_inj (String str)

{

String inj_str = "' |and|exec|insert|select|delete|update|

count|*|%| chr|mid|master|truncate|char|declare|;| Or|-|+|, ";

You can also add your own stuff here.

String[] Inj_stra=inj_str.split ("\\|");

for (int i=0; I < inj_stra.length; i++)

{

if (Str.indexof (Inj_stra[i]) >=0)

{

return true;

}

}

return false;

}

}

5.JSP Page judgment Code:

Use JavaScript to masking the client for unsafe words

Function Description: Check if it contains "'", "\ \", "/"

Parameter description: The string to check

Return value: 0: Yes 1: No

The function name is

function Check (a)

{

return 1;

FIBDN = new Array ("'", "\ \", "/");

I=fibdn.length;

J=a.length;

for (ii=0; ii

{for (jj=0; jj

{Temp1=a.charat (JJ);

TEMP2=FIBDN[II];

if (TEM '; p1==temp2)

{return 0;}

}

}

return 1;

}

===================================

In general, the prevention of generic SQL injection can be as long as the code specification is up and down.

Where there are variables involved in the execution of SQL, using JDBC (or other data persistence layer) to provide such as: PreparedStatement, remember not to use the method of stitching strings.

How to combat and prevent SQL injection attacks