On web security-sql injection

Source: Internet
Author: User
Tags microsoft sql server

To put it simply, my understanding of web security is primarily code injection.

SQL injectionBrief introduction:

SQL attacks (SQL injection), referred to as injection attacks, are security vulnerabilities that occur at the application database layer. In short, it is injected into the string of SQL instructions, in the poorly designed program ignored the inspection, then these injected instructions will be mistaken for the database server is normal SQL command to run, and therefore be corrupted or intrusion.
Simply put, the so-called SQL injection, is by inserting SQL commands into the Web form to submit or enter a domain name or page request query string, and eventually to deceive the server to execute a malicious SQL command. For example: If the user enters ' or ' 1 ' = ' 1 ' or ' 1 ' = ' 1 in the User Name text box, the validated SQL statement becomes: SELECT * from student where username= "or ' 1 ' = ' 1 ' or ' 1 ' = ' 1 ' and password= "; the Where condition of the SQL statement is always true, so validation is always valid.

SQL Injection Process

principle of Action
    • SQL commands can be queried, inserted, updated, deleted, etc., and the command is threaded. Instead, the semicolon character is the difference between different commands. (The original function is used for subquery or as a query, insert, UPDATE, delete ...) The conditional type)
    • The SQL command is wrapped in a single quote character for the passed-in string argument. "But 2 consecutive single-quote characters, in the SQL repository, are treated as one single quote character in the string"
    • SQL command, you can inject the note "2 consecutive minus characters – the text after the annotation, or"/"and"/"wrapped in the text is annotated
    • Therefore, if you combine the command string of SQL with a single quote word relabeled substitution processing, it will cause the character variable to be maliciously tampered with the original SQL syntax when it fills in the command string.
the main form of SQL injection:
    1. Inserts the code directly into the user input variable that is concatenated with the SQL command and enables it to execute.
    2. An indirect attack injects malicious code into a string to be stored in a table or stored as metadata. The malicious code is executed when the stored string is subsequently concatenated into a dynamic SQL command.
two conditions for injection
    1. The user can control the input;
    2. The code to be executed by the program spliced the data entered by the user.
Common injection Methods
    1. Improper handling of escape characters:
    2. Improper handling of types:
    3. Improper assembly of query statements
    4. Improper handling of errors
    5. Improper handling of multiple submissions

Common Risks

It is possible that applications are exposed to high-risk situations in SQL injection if the following conditions are present in the application:
-Combine SQL instructions in your application using string joins.
-Use an account with too much permissions when the application links the database (for example, many developers prefer to connect to the database with the highest-privileged system administrator account, such as common ROOT,SA, etc.).
-Open unnecessary but too powerful functions in the database (e.g., xp_cmdshell extension stored in Microsoft SQL Server database or OLE Automation stored procedures, etc.)
-Too much trust in the data entered by the user, no limit on the number of characters entered, and no check of potential instructions for the data entered by the user.

Possible damage:
    • Data in the data sheet, such as personal confidential data, account data, passwords, etc.

    • The data structure was exploited by hackers to make further attacks (e.g. SELECT * from Sys.tables).

    • The database server was attacked and the system administrator account was tampered with (for example, alter LOGIN SA with password= ' xxxxxx ').

    • With higher system permissions, it is possible to add malicious links, malicious code, and XSS to Web pages.
    • The operating system support provided by the database server allows hackers to modify or control the operating system (for example, xp_cmdshell "net stop IISAdmin" to stop the server's IIS services).
    • Destroys the hard drive data, paralyzed the system (e.g. xp_cmdshell "FORMAT C:").
methods to avoid
    • When designing your application, use parameterized queries (parameterized query) to design the data access functionality entirely.
    • When combining SQL strings, replace the passed parameters with a single quote character (2 consecutive single quote characters). If you use PHP to develop a Web program, you can open the PHP magic quotation mark (Magic quote) function (automatically pass all the pages into the parameters, the single quote character is replaced by 2 consecutive single quote characters).
    • Other, connect to the SQL database in other, more secure ways. For example, a database connection component that has fixed a SQL injection problem, such as an ASP. SqlDataSource object or LINQ to SQL.
    • Replace the dangerous character and, if possible, reject the input that contains the following characters:
    • Validates all inputs, such as restricting the length of user input, restricting the range of values entered by the user, testing the input size and data type, and enforcing appropriate restrictions. This helps to prevent intentional buffer overflows:
    • Establish a smaller database user for the current application, which will not cause the database administrator to lose.
    • Encapsulates a database operation into a service, for sensitive data, for each client's IP, returns only one record at a time for a certain period. This avoids being dragged to the library.
    • Use SQL anti-injection system.
FAQ
    1. If the Web site prohibits entering single-quote characters, can you avoid SQL injection?
      A: No, there are several ways to encode a single quote character so that it can be received as input, some SQL injection vulnerabilities do not need to use the character, but the number is not the only character that can be used for SQL injection, and the attacker can use other characters, such as double vertical bars (| | ) and double quotation marks (").
    2. Can the selected language avoid SQL injection?
      A: No, any programming language, as long as it passes the input to a dynamically created SQL statement without validating it, is susceptible to potential attacks unless parameterized queries and binding variables are used.
Reference

SQL Injection Method-Wikipedia
Overview of MSDN SQL Injection

Talking about web security-sql injection

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.