Preventing SQL injection attacks

Source: Internet
Author: User
Tags how to prevent sql injection attack how to prevent sql injection mssql sql injection sql injection attack access database

SQL injection attacks are a great danger. Before explaining its prevention, it is important for database administrators to understand the rationale behind their attacks. This helps the administrator to take targeted prevention and control measures.
A simple example of a SQL injection attack.
Statement: = "SELECT * from Users WHERE value=" + a_variable + "
The above statement is a very common SQL statement, his main function is to let the user enter an employee number and then query the information of this employee. But if the statement is modified by a wrongful attacker, it could be the Black Hand that destroys the data. If the attacker enters the variable, enter the following SA001 ';d ROP table C_order--。 So the above SQL statement becomes a SELECT * from the Users where value= ' SA001 ';d ROP table C_order at the time of execution--。
What does this statement mean? ' A semicolon after the SA001 ' indicates the end of one query and the beginning of another statement. The double hyphen behind the C_order indicates that the remainder of the current line is just a comment and should be ignored. If the modified code is syntactically correct, the server executes the code. When the system is processing this statement, the query statement is executed first, and the user information of user number SA001 is found. The data then deletes the table C_order (the delete operation succeeds if there are no related constraints such as other primary keys). As long as the injected SQL code is syntactically correct, it is not possible to programmatically detect tampering. Therefore, you must validate all user input and carefully examine the code that executes the constructed SQL command on the server that you are using.
Second, the SQL injection attack principle.
It can be seen that SQL injection attacks are very harmful. Before explaining its prevention, it is important for database administrators to understand the rationale behind their attacks. This helps the administrator to take targeted prevention and control measures.
SQL injection is one of the most common attack methods for database. In this attack pattern, the attacker inserts some malicious code into the string. The string is then passed to an instance of the SQL Server database for analysis and execution through various means. As long as this malicious code conforms to the rules of the SQL statement, it will not be discovered by the system when the code is compiled and executed.
There are two primary forms of SQL injection attacks. One is to insert the code directly into a user input variable that is concatenated with the SQL command and makes it executable. The above example is the use of this method. Because of its direct binding with SQL statements, it is also known as direct injection attack method. The second is an indirect attack method that injects malicious code into a string to be stored in a table or stored as the original book. The stored string is connected to a dynamic SQL command to execute some malicious SQL code.
The injection process works by terminating the text string prematurely, and then appending a new command. As an example of a direct injection attack. is to use a semicolon to end the current statement when the user enters the variable. Then insert a malicious SQL statement. Because the inserted command may append additional strings before execution, the attacker often flags "-" with comments to terminate the injected string. When executed, the system will assume that the following statement is commented, so the subsequent text will be ignored, not compiled and executed.
Third, the prevention and control of SQL injection type attack.
Since SQL injection attacks are so harmful, how can we prevent them? The following recommendations may help database administrators prevent SQL injection attacks.
1, the ordinary user and the system administrator user's permission to have the strict distinction.
If an ordinary user embeds another drop TABLE statement with a query statement, is it allowed to execute? Because the drop statement is related to the base object of the database, the user must have permission to manipulate the statement. In the authority design, for the end user, that is, the application software users, there is no need to give them the database object creation, deletion and other permissions. So even when they use SQL statements with embedded malicious code, the code will not be executed due to restrictions on user permissions. Therefore, in the design of the application, it is best to distinguish between the user of the system administrator and the ordinary user. This minimizes the harm to the database caused by injection attacks.
2, forcing the use of parameterized statements.
If you are writing an SQL statement, the variables entered by the user are not embedded directly into the SQL statement. Instead of passing this variable through parameters, it is possible to effectively prevent SQL injection attacks. That is, the user's input must not be directly embedded in the SQL statement. In contrast, the user's input must be filtered, or a parameterized statement is used to pass a user-entered variable. Parameterized statements use parameters instead of embedding user input variables into SQL statements. With this approach, most SQL injection attacks can be eliminated. Unfortunately, there are not many database engines that support parameterized statements. However, the database engineer should use parameterized statements when developing products.
3, strengthen the validation of user input.
In general, the prevention and control of SQL injection attacks can be used in two ways, one is to strengthen the user input content inspection and validation, and the second is to force the use of parameterized statements to pass user input content. In SQL Server database, there are more user input content validation tools that can help administrators to deal with SQL injection attacks. Tests the contents of a string variable, accepting only the desired value. Rejects input that contains binary data, escape sequences, and comment characters. This helps prevent script injection and prevents certain buffer overflow attacks. Test the size and data type of the user input and enforce appropriate restrictions and conversions. This helps to prevent intentional buffer overflow, which is more effective in preventing injection attacks.
If you can use a stored procedure to validate the user's input. A stored procedure enables filtering of user input variables, such as rejecting some special symbols. As in the malicious code above, as long as the stored procedure to filter out the semicolon, then this malicious code will be useless. Before executing the SQL statement, some special symbols can be rejected through the database's stored procedures. Without affecting the database application, you should let the database reject input that contains the following characters. such as the semicolon delimiter, it is the primary accomplice of a SQL injection attack. such as the comment delimiter. Annotations are only used when the data is designed. The general user's query statement is not necessary to comment on the content, it can be directly rejected, and usually do so without accidental loss. By rejecting these special symbols, they will be useless even if the malicious code is embedded in the SQL statement.
The user input is always validated by testing the type, length, format, and range to filter what the user has entered. This is a common and effective measure to prevent SQL injection attacks.
4. Use the security parameters that are available from the SQL Server database.
To reduce the negative impact of injection attacks on SQL Server databases, a relatively secure SQL parameter has been specifically designed in the SQL Servers database. In the database design process, engineers should try to use these parameters to eliminate malicious SQL injection attacks.
The parameters collection is provided in the SQL Server database. This collection provides the ability to type check and length validation. If the administrator takes the Parameters collection, the user input is treated as a character value rather than as an executable code. Even if the user enters content that contains executable code, the database is filtered out. Because at this point the database only treats it as a normal character. Another advantage of using the Parameters collection is that you can enforce type and length checks, and values outside the range will trigger an exception. If the user enters a value that does not conform to the specified type and length constraints, an exception occurs and is reported to the administrator. In this case, if the employee number defines the data type as a string, the length is 10 characters. The user input is a character-type data, but it has a length of 20 characters. An exception is thrown at this point because the user enters content that is longer than the database field length limit.
5, multi-layered environment How to prevent SQL injection attack?
In a multi-tier application environment, all data entered by the user should be validated before being allowed into the trusted zone. Data that does not pass the validation process should be rejected by the database and an error message is returned up one level. Implement multilayer validation. Precautions taken against rogue malicious users may be ineffective against a determined attacker. A better approach is to validate the input at the user interface and at subsequent points across all cross-trust boundaries. Validating data in a client application can prevent simple script injection. However, if the next layer believes its input has passed validation, any malicious user who can bypass the client can access the system without restrictions. Therefore, in the multi-layer application environment, in order to prevent the injection attack, it is necessary to work together, the client and the database side should adopt corresponding measures to prevent the SQL statement injection attack.
6, if necessary, use professional vulnerability scanning Tool to find the point that may be attacked.
Using a professional vulnerability scanning tool, you can help administrators find points that might be injected by SQL. However, the vulnerability scanning tool can only detect attack points and not be able to proactively defend against SQL injection attacks. Of course, this tool is often used by attackers. An attacker could use this tool to automatically search for an attack target and implement an attack. To this end, if necessary, enterprises should invest in a number of professional vulnerability scanning tools. A sophisticated vulnerability scanner differs from a network scanner, which specializes in locating SQL injection vulnerabilities in a database. The latest vulnerability scanner can look for newly discovered vulnerabilities. So with professional tools, you can help administrators discover SQL injection vulnerabilities and alert administrators to take proactive steps to prevent SQL injection attacks. If an attacker can find a SQL injection vulnerability that the database administrator has discovered and taken positive steps to block the vulnerability, then the attacker will not be able to stop.

How to prevent hackers from invading web sites with several common security methods
? The purpose of this article is to tell the company how to build a secure Web site against hacking when building a website
? With the development of time, the Internet has become more and more obvious, More and more enterprises in the world through this 24-hour uninterrupted wave platform to build their own company's website, e-commerce activities; Because of the particularity and complexity of the Internet, once your corporate website is connected to the Internet, your corporate website is a public place where anyone can browse information on your corporate website, anyone (for example: hackers) are likely to test your corporate website technically, find your corporate web site in the design of the loopholes, whether his intention is malicious or other reasons, you can not stop his behavior, because hackers on the remote computer implementation of the operation.
? To build a site with a safety factor guarantee, which is related to the business reputation of an enterprise, it is necessary to do some of the most basic security precautions for its website, which is faced with rampant and rampant cyber attacks.
? Illegal character filtering and conversion
? Before hackers attack the site, the first use of the Pathfinder way, through the website of the message, forum, search and other systems, inject executable web script code and SQL syntax, to achieve the purpose of the intrusion site; text input boxes for all interactive interfaces of the website (e.g.: Web Message system, BBS Systems, blog systems, search systems, landing systems, etc. take the illegal character filtering and conversion technology in the client, through illegal character filtering and conversion of executable malicious code into readable HTML code, so that it basically lost the power of a broken website, Also play the role of protecting the website program source code from being destroyed.
? Create an information page that specifies a custom error (Error)
? The advantage is to prevent the site design source code overflow, hackers in the intrusion of the site's backend management system, often in the web address bar input executable SQL syntax and according to the programmer for the web name of the custom input URL file name, Once the hacker takes this approach, the hacker is taken to the information page that specifies the custom error (Error).

? How to deny Cookie authentication
? The benefit of cookies is that when the administrator and registered user log on to the website, the cookie will save the login information, and the cookie will automatically keep the information in the Landing page input text box for the next login, which is to facilitate the landing, but also provides a good opportunity for the hacker to collect the cookie information. Therefore, we should refuse to use the client-side cookie to verify the login mode, and instead use the server authentication method to log in and save the account and password in one-way encryption.
? Do not build your corporate website with a self-service web site
? Some web design companies to increase sales to reduce costs (in fact, most customers like to buy cheap self-built website system), the development of different uses of self-built web site system (such as: website content management, BBS, press releases, messages, blogs, etc.), At the same time in order to compete for the market, expand product visibility, often two ways to sell products: Personal version can be free to download; in fact, two versions of the website in the same program technology based on the development of the commercial version is authorized for commercial use, technical support and maintenance assurance; Hackers download Personal Edition, To devote themselves to the development of these self-help Web site system Open source code, to find out the program vulnerabilities, once found a vulnerable program vulnerability, through the search engine platform to retrieve the same model version of the Web site system, and then launched an attack; solutions find self-developed website company Design your corporate website, By encapsulating the design source code of the Web site as a ". dll" component, which ensures that the security of the site design and the protection of the source code, but also improve the safety factor of the site and reduce the damage to the site is compromised, because the hacker compromised the site is often from the research site source code to find a bug in the program.
? Fix Googel "Bauku" problem
? Some programmers in the development site like to use the virtual path method to invoke the database, which must be saved in the directory to open the WWW service, the natural escape from the cunning hacker's eyes, once the hacker cracked the real storage location of the database, can open and download the database from the browser's address bar, the consequences of the site is very dangerous, to ensure that your site's database is not downloaded by hackers, as long as the database is stored in a non-WWW service folder, through the physical (real) path method call database, You can completely prevent hackers from downloading your corporate website database.

? Create a robots file
? In order to prevent important folders of the website (such as: Background management) and files (such as: Pure Program Files) are not included in the search engine, first in the site root directory to build a "robots.txt" plain text file, to prevent the site of important files or other sensitive information is included in the search engine The largest multi-search engine platform complies with the robots protocol; When a search engine visits a website, it first finds the robots file in the root directory of the Web site and then reads the contents of the robots file to determine the scope it collects on the site. Robots file can be said to the search engine to include restrictions on the management of access to the Internet, so as to avoid the site of important files or other sensitive information on the network, in the security of the site to play a defensive role, robots files can be by the Web Designer in accordance with robots agreement, Freely prepared according to the actual situation of the website.
? Completely will eliminate hacker attacks and intrusion is impossible, completely in the site of each interface to filter and convert illegal string is not able to do, for example, in the file upload, cunning hackers will be able to avoid filtering and conversion of illegal string, will execute malicious script code to save ". gif" format or ". jpg" Format to implement file Upload vulnerability attack, the solution is to all uploaded files into a ". txt" plain text file read again, determine whether it is executable malicious script code, if it is deleted, but the site administrator to have Web program Foundation; the way hackers invade the site is changeable Thousands of kinds of free burst website software, make your enterprise website is impossible to prevent, but the above introduction several defensive measures to rookie hacker is feasible, for some senior hacker, he also has to spend some energy and time to break your enterprise website, he will consider worth? After all, your site is just a corporate website, not a website where banks and securities negotiate cash transactions (they have a higher level of design safety), and in most cases, "warrior" hackers will not patronize your corporate website.

1. Intrusion of SQL Injection Vulnerability
This is the Asp+access website intrusion method, through the injection point list of the database administrator's account number and password information, and then guess the site's back-end address, and then log in with the account number and password to find the location of the file upload, the ASP Trojan upload, get a website Webshell. This is the black chain used in the previous part, it should be more commonly used. There are too many Webshell sold online now.
2, the use of ASP upload vulnerability
This technology is the use of some Web site ASP upload function to upload ASP Trojan an intrusion way, many websites have limited the type of upload files, in general, ASP is the suffix of the file is not allowed to upload, but this limitation can be hacked by hackers, Hackers can take a cookie to deceive the way to upload ASP trojan, access to the site's Webshell permissions.
3, back-Office Database backup method to obtain Webshell
This is mainly the use of the site background to the Access database database backup and recovery functions, backup database path and other variables are not filtered resulting in any file suffix can be changed to ASP, then use the site upload function upload a file name to JPG or gif suffix ASP trojan, Then use this recovery library backup and restore function to restore the Trojan to an ASP file, so as to obtain access to the site Webshell control permissions.
4. Site side-note intrusion
This technique uses IP-bound domain names to find out how many sites are on the server, and then, through some weak websites, to invade, and then to control the server's other sites.
Below these kinds of I can not understand, but a bit of high-tech webmaster will understand.
5. Intrusion technology using SA injection point
This is the intrusion of the Asp+mssql site, find the SQL injection point with SA permissions, and then use the xp_cmdshell storage extension of the SQL database to run the system command to establish a system-level account, and then log in through 3389, or on a broiler with NC open a listening port , and then use VBS a word trojan download a NC to the server inside, then run the NC Reverse connection command, let the server reverse connection to the remote broiler, so that the remote broiler has a remote system administrator-level control permissions.
6. SA Weak password intrusion technology
This approach is to use the scanner to detect the SQL account and password information to get the sa password, and then use a tool such as sqlexec to connect to the remote server via port 1433, and then open the System account, through 3389 login. Then this intrusion mode can also be used in conjunction with Webshell, the General Asp+mssql Web site will usually be the MSSQL connection password written to a configuration file, which can be used to read the Webshell in the configuration file sa password, You can then upload a SQL Trojan to gain control of the system.
7, submit a sentence of the Trojan invasion mode
This technique is the intrusion of some database addresses that have been converted to ASP files. Hackers through the website message version, forum system and other functions to submit a word Trojan into the database inside, and then in the Trojan client input the database address of the site and submit, you can put an ASP Trojan into the site, access to the site's Webshell permissions.
8, Forum exploits the use of intrusion mode
This technology is the use of some forum security loopholes to upload ASP Trojan to obtain Webshell permissions, the most typical is that, Dynamic Network 6.0 version, 7.0 version are security vulnerabilities, take 7.0 version, register a normal user, and then use the capture tool to crawl the user to submit an ASP file cookie, and then use the software such as the Ming Kid to take cookie spoofing upload method can upload an ASP trojan, get the website Webshell.

Preventing SQL injection attacks

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.