MySQL security reinforcement practices

The group hired top security vendors in China to scan the security of enterprise information systems and found that the author's O & M system has the SQL injection vulnerability, database Elevation of Privilege Security Vulnerability, password plaintext and attachment upload security risks. As a result, the author has implemented a series of security reinforcement work for the system, and no security risks were found during the second scan by the security vendor. The specific countermeasures are as follows: 1) the SQL injection vulnerability solution is to first perform illegal character verification when you perform operations on the system, because the system is already online, it is impossible to perform PreparedStatement processing on each SQL question, so I add a filter action to block the SQL injection vulnerability. For specific implementation methods, see the following code. Click (here) collapse or enable 1. The anti-SQL Injection code is as follows: package action; public class StringUtil {public StringUtil () {} public static String replace (String str, String substr, String restr) {String [] tmp = split (str, substr); String returnstr = null; if (tmp. length! = 0) {returnstr = tmp [0]; for (int I = 0; I <tmp. length-1; I ++) returnstr = dealNull (returnstr) + restr + tmp [I + 1];} return dealNull (returnstr );} public static String [] split (String source, String div) {int arynum = 0, intIdx = 0, intIdex = 0, div_length = div. length (); if (source. compareTo ("")! = 0) {if (source. indexOf (div )! =-1) {intIdx = source. indexOf (div); for (int intCount = 1; intCount ++) {if (source. indexOf (div, intIdx + div_length )! =-1) {intIdx = source. indexOf (div, intIdx + div_length); arynum = intCount;} else {arynum + = 2; break ;}} else arynum = 1;} else arynum = 0; intIdx = 0; intIdex = 0; String [] returnStr = new String [arynum]; if (source. compareTo ("")! = 0) {if (source. indexOf (div )! =-1) {intIdx = (int) source. indexOf (div); returnStr [0] = (String) source. substring (0, intIdx); for (int intCount = 1; intCount ++) {if (source. indexOf (div, intIdx + div_length )! =-1) {intIdex = (int) source. indexOf (div, intIdx + div_length); returnStr [intCount] = (String) source. substring (intIdx + div_length, intIdex); intIdx = (int) source. indexOf (div, intIdx + div_length);} else {returnStr [intCount] = (String) source. substring (intIdx + div_length, source. length (); break ;}}else {returnStr [0] = (String) source. substring (0, source. length (); return returnStr ;}} Else {return returnStr;} public static boolean SQL _inj (String str) {String inj_str = "'| and | exec | insert | select | delete | update | count | * | % | chr | mid | master | truncate | char | declare |; | or |-| + |, "; String inj_stra [] = split (inj_str," | "); for (int I = 0; I <inj_stra.length; I ++) {if (str. indexOf (inj_stra [I])> = 0) {return true ;}} return false;} private static String dealNull (Stri Ng str) {String returnstr = null; if (str = null) returnstr = ""; else returnstr = str; return returnstr ;} // public static void main (String [] args) {// if (SQL _inj ("test'' ") = true) // System. out. println ("invalid character"); // else // System. out. println ("valid input content"); //} 2. MD5 encryption code: package action; import java. security. messageDigest;/***** Title: MD5 encryption and verification ***** Description: ***** Copyright: Copyright (c) 2006 ***** Co Mpany: *** @ author not attributable * @ version 1.0 */public class MD5 {public MD5 () {}/ *** MD5 encrypted Computes the MD5 fingerprint of a string. ** @ return the MD5 digest of the input <code> String </code> */public static String compute (String inStr) {MessageDigest md5 = null; try {md5 = MessageDigest. getInstance ("MD5");} catch (Exception e) {System. out. println (e. toString (); e. printStackTrace (); retur N "";} char [] charArray = inStr. toCharArray (); byte [] byteArray = new byte [charArray. length]; for (int I = 0; I <charArray. length; I ++) {byteArray [I] = (byte) charArray [I];} byte [] md5Bytes = md5.digest (byteArray); StringBuffer hexValue = new StringBuffer (); for (int I = 0; I <md5Bytes. length; I ++) {int val = (int) md5Bytes [I]) & 0xff; if (val <16) {hexValue. append ("0");} hexValue. append (Integer. toHexString (val);} return hexValue. toString ();} /*** verify MD5 ** @ param compareStr * String the String to be compared * @ param md5Str * String encrypted String * @ return boolean returns true if verification succeeds, otherwise, false */public static boolean compare (String compareStr, String md5Str) {String computeStr = compute (compareStr); if (computeStr. equals (md5Str) {return true;} else {return false;} public static void main (String [] args) {System. out. println ("aa: =" + compute ("aa"); System. out. println (compare ("aa", "4124bc0a9335c27f086f24ba207a4912");} 2) database Elevation of Privilege Vulnerability: 1. Separate the database system account from the application account to create the account to be accessed by the application; 2. Remove the permission and set the specified IP address to allow remote access to the database; steps:) delete from user where user = "root" and host! = "Localhost"; B) flush privileges; C) grant select, insert, update, delete on itwh. * to myapp @ "10.0.212.122" identified by "youpassword"; D) flush privileges; 3) encrypt and save user passwords. md5 encryption algorithm is used to save user information in ciphertext, the advantage of this is that O & M personnel cannot log on to the user's system without authorization to view User-related information. 4) the upload attachment verification has been converted from a blacklist to a whitelist. The specific implementation method is not relevant to this article and will not be described here.