Prevent query Statement Database Injection Vulnerability attack

Source: Internet
Author: User
Tags net command sql injection sql injection attack

Simply put, SQL injection is the process of passing SQL code to an application, but not in the way that the application developer intended or expected, and a large part of the programmer, when writing code, did not judge the legality of user input data and put the application in a security risk. The flaw is not the system, but the programmer's ignorance of the security factor in programming. SQL Injection Vulnerability attack principle is to use illegal parameters to obtain sensitive information, collection and collation, analysis of the Administrator account password.

When developing an application, especially a query about database information, there may be a concatenation string injection vulnerability in the query statement, which can lead to user data disclosure. So how to prevent the emergence of such vulnerabilities.

you can set parameters for a query statement, as shown in the following example :

Using (SqlConnection cn = new SqlConnection ("Connection string")

{

Cn.open ();

using (SqlCommand cmd = Cn.creatcommand ())

{

cmd.commandtext= "SELECT * from t_table where name= '" +textbox.text+ "";

(At this point, if you enter 1 ' or ' 1 ' = ' 1 ' In the text box, you can get the database information.) Can cause information to leak. The solution is to introduce parameters. The method is as follows.

cmd.commandtext= "SELECT * from t_table where name= @Name";

Cmd. Parameters.Add (New SqlParameter ("@Name", TextBox.Text))};

This way the query data is compared from the database query, no more injection vulnerability attacks.

}

}

Every time an essential SQL statement is written to the database operation, such as the following SQL statement that validates the login:

String strsql= "select * from Table Where username= '" +textboxusername.text+ ' "and userpassord= '" + textboxpassword.text+ "'";
or
String strsql=string. Format ("select * from Table where username= ' {0} ' and userpassword= ' {1} '", Textboxusername.text,textboxpassword.text);
in the above statement, the SQL statements for database operations are written in string concatenation, which is a common form of SQL statements used by early programmers and beginners for database operations. Textboxusername is the user name submitted in the Textboxusername text box, Textuserpassword is the password that the user submits in the Textuserpassword text box, in an ideal state, the user in order to attack the system , the user (that is, the hacker) may try to tamper with the SQL statements to achieve the purpose of the login. For example, a user might enter the following statement in the User name text box:
1 ' or 1=1--

Below we take the statement from the line above to the SQL statement used for login, and get the following SQL statement:
SELECT * from Table where userid= ' 1 ' or 1=1--' and username= '
A little bit of the database SQL statement, will soon find that the above sentence is not normal, this SQL statement will return all the table data, this is the hacker's opportunity, the hacker can use this method to log in successfully, can also get all the information of the table tables. Here's an explanation of this SQL statement: If you only have a select * from table, all of the table's information is returned, where is the query condition, 1=1 is always true, whether user= ' 1 ' is true or false,userid= ' 1 ' Or 1=1 is true. As for--' and username= ', because two hyphens (--) are comment tokens for MS SQL Server (the same technique is used for my SQL and Oracle databases, but the annotation marker used by my SQL is the symbol #,oracle uses a semicolon;),- After the content is uploaded to the database query is commented, then--the later content is useless, the SQL statement will not be executed, so where the query condition is always true, to sum up, the above SQL query statement will return all the table information!

through this SQL syntax vulnerability, hackers can achieve their goal , but SQL injection vulnerability attack is definitely more than this, complex there are many, I do not say. Let me talk a little bit, I know. NET should prevent the above SQL injection attack.
What we can do, if we don't modify the SQL query statement above, is to take advantage of the MaxLength property of the TextBox control, and then type the number of characters the hacker is typing, thus restricting the hacker from sending a large number of illegal commands to the server. The second approach is to remove single quotes from user input by adding one or more single quotes after the single quotation marks, or by replacing single quotes with spaces, which prevents such attacks. But the limitation is that if the user's username or password contains single quotes, then it is not OK!

one of the most perfect methods is to use the Ado.net Command object's set of parameters , in the previous SQL injection vulnerability attacks in the query, by using the string concatenation method to create dynamic queries, where we can use the Ado.net The function provided by the Parameters property of the command's object, passing the parameters used to execute the SQL statement, in which the parameter name must be prefixed with the character @, such as the following SQL query statement:
String Strsql= "select * from Table where username= @UserName and userpassword= @UserPassword";
In this statement, the @UserName and @userpassword are parameter names, and you can use the following statement to pass values for the parameter:
SqlCommand cmd=new SqlCommand (strsql,conn);
Sqlparameters[] Pams=new sqlparameters (New SqlParameters ("@UserName", Textboxusername.text), New SqlParameters ("@ UserPassword ", Textboxpassword.text));
Cmd. Parameters.addrange (PAMS);
Parameter names are case-insensitive, and this method is also appropriate for stored procedures and SqlDataAdapter objects.

Instead of stitching multiple strings, we use the @username and @userpassword names in the dynamic creation of SQL statements so that you can pass values using the parameters set of the SqlCommand object. This method makes it possible to create dynamic SQL connections securely. parameter is not a simple string substitution within SQL Server, SQL Server direct 0 compares data with added values, so there is no SQL injection vulnerability attack.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.