How to Prevent database Injection

As ASP script systems are widely used on the Internet, script attacks against ASP systems are becoming increasingly popular. In these attacks, attackers use injection, cross-site, violent library, upload, Cookie spoofing, and bypass to control the server. This article provides a simple and easy solution to the SQL injection attacks that are currently popular on the Internet, hoping that the next injection will not be yours.

　　[SQL injection vulnerability overview]

The so-called SQL Injection attack, that is, SQL Injection, means that an attacker inserts an SQL command into the input field of a Web form or the query string requested by the page, deceiving the server to execute malicious SQL commands. The official saying is: "When an application uses the input content to construct dynamic SQL statements to access the database, SQL injection attacks will occur. If the Code uses stored procedures, which are passed as strings containing unfiltered user input, SQL injection attacks will also occur. SQL injection may allow attackers to log on to the database using applications to execute commands. If an application uses a privileged account to connect to the database, this problem becomes very serious ." In some forms, the content entered by users is directly used to construct (or affect) dynamic SQL commands or as input parameters of stored procedures. Such forms are particularly vulnerable to SQL injection attacks. Many website programs do not judge the validity of user input data or improperly process the variables in the program, which poses security risks to the application. In this way, you can submit a piece of database query code (usually in the address bar of a browser and access through the normal www port) to obtain sensitive information or control the entire server according to the results returned by the program, therefore, SQL injection is generated. To put it simply, the principle of SQL injection is to submit special code from the client, so as to collect information about programs and servers and obtain the information you think.

　　[Simple use of SQL Injection Vulnerabilities]

Since this article does not intend to teach you how to perform SQL injection attacks, it only provides a symbolic demonstration of the attacker's injection attack process. If you are interested in this aspect, refer to other articles. Most of the injection attacks against Access databases are troublesome, because the general steps are to guess the Administrator table name, field name, character length, character content, and search for the background, therefore, many injection tools are generated on the Internet, which are easy to use. Perhaps this is one of the reasons why injection attacks are popular. The author tests the downloading system, its list. asp, view. asp and other files all generate the injection vulnerability because the parameter ID is not filtered. The conventional injection is not much said. Let's draw a picture for everyone, 1:

We can see the injection point: http: // 202.193.72.123/list. asp? Id = 84 for injection. First, determine whether the injection can be performed. If yes, "Congratulations, this URL can be injected!" is displayed !", Then, you can guess the table name. Two database table names are obtained. We chose the userinfo table related to the administrator account and password to guess, the obtained fields include id, usr, and pwd. Then, we can guess the content in the table field. Here we can guess that the Administrator account is admin and the administrator password is admin888, it is difficult to manually complete the whole process. The following describes the Union query injection, and the Administrator account and password are suddenly exposed. As a set of open-source code, the rain point download system is not difficult to learn about its database structure. The Administrator account and password information is stored in the userinfo table segment, and the corresponding fields are id, usr, and pwd, respectively, in addition, the system administrator and common users are placed in a table. The userinfo table has a userclassid field, indicating their permissions, the userclass table clearly tells us what ID corresponds to what permissions, here we want to go to the management background, of course, the account and password of the system administrator, that is, the corresponding where judgment statement is added during the construction. When the injection point is determined, we construct the following syntax:

Union select usr, 2, 3 from userinfo where userclassid = 1 returns a page with an administrator account, 2:

Replace usr in the preceding injection statement with pwd and return to the administrator password. With the Administrator account and password and the management background address added, you will not be able to do anything else. Do not destroy it!

[Simple prevention of SQL Injection Vulnerabilities]

Currently, the most popular SQL Injection tools on the Internet use GET and POST to perform specific injection. If we filter out some special symbols used for injection, the injection tool is useless to prevent injection. For example, the prevention code for injection of the GET submission method is as follows:

The following is a reference clip: Dim SQL _injdata SQL _inj SQL _GetSQL_injdata = "'| and | exec | insert | select | delete | update | count | * | % | chr | mid | master | truncate | char | declare" SQL _inj = split (SQL _Injdata, "|") If Request. queryString <> "" Then For Each SQL _Get In Request. queryString For SQL _Data = 0 To Ubound (SQL _inj) if instr (Request. queryString (SQL _Get), SQL _Inj (SQL _DATA)> 0 Then Response. write "<Script Language = JavaScript> alert ('do not include invalid characters in the Parameter Try injection! '); History. back (-1) </Script> "Response. end if next Next end If

Similarly, POST should also be checked. Note that it is flexible here. You only need to write the injection-related keywords to SQL _injdata and separate them with "|. Many friends don't even want to write code. Don't worry. There are general anti-injection programs. Here I will introduce you to the general anti-injection program, which was developed by the Firefox Technology Alliance Feng Zhiqiu [F. s.T] General Anti-injection program 2.0 perfect version, or download the system list from the rain. asp is used as an example. Call. Then we can manually test its injection vulnerability:

The following figure is displayed when you add a 'test' to the end, as shown in Figure 3:

Click OK to return the following information, as shown in Figure 4:

If you want to view the attack information, you can view the records in the database, 5:

The attack IP address, the attacked page, and the passed parameters are recorded. The attack methods include Get and Post, and the attack time and specific content are recorded. The administrator can see what this information can do. I don't need to say more. You're afraid of it! Of course, in the attitude of being responsible to the readers, the author said that it is not okay if there is a general anti-injection program, because Cookies can also transmit parameters, in addition, from the root cause of the vulnerability, it is still necessary to infiltrate the variable. For numeric variables, use IsNumeric () to judge, the single quotation marks of the Character Type Filter make it impossible to close the single quotation marks when constructing the injection statement. The following two functions are for your reference:

The following is a reference clip: ========================================================== ==== Determine whether it is a number, otherwise, use the default value to replace the variable to be replaced by iCheck, iDefault default value ================================================= ====== Function GetSafeInt (iCheck, iDefault) If Trim (iCheck) = "" Then GetSafeInt = iDefault Exit Function End If IsNumeric (iCheck) = false Then GetSafeInt = iDefault Exit Function End If GetSafeInt = iCheckEnd Function ================