"ASP."--sql Injection

When it comes to SQL injection, Master gives the acceptance project a mention. But has not been in-depth to think of what is going on ~ ~ Learning the NET, do news release system, and met, this time can not let go

definition

SQL injection, by inserting a SQL command into a Web form to submit or entering a query string for a domain name or page request, eventually achieves a malicious SQL command that deceives the server. Specifically, it is the ability to inject (malicious) SQL commands into the background database engine execution using existing applications, which can be obtained by entering (malicious) SQL statements in a Web form to a database on a Web site that has a security vulnerability, rather than executing the SQL statement as the designer intended. [1] For example, many of the previous film and television sites leaked VIP membership password is mostly through the Web form to submit query characters, such forms are particularly vulnerable to SQL injection attacks. --Baidu Encyclopedia

Experiment

Add a news category SQL statement to the system:

Insert Intocategoryinfo (name) VALUES (' "+ CAName +")

When we enter in the interface: Entertainment gossip, click Add News Category

Entertainment gossip will replace "+ CAName +" and execute.

So, when we enter in the text box:

Entertainment News ') Delete categoryinfo where id=13--

This paragraph replaces "+ CAName +" to form:

Insert into CategoryInfo (name) VALUES (' Entertainment news ') Delete categoryinfo where id=4--') ";

Equivalent:

Insert into CategoryInfo (name) VALUES (' Entertainment news ');

Delete categoryinfo where id=4--') ";

Then the contrast effect after execution is:

Front: After:

This is an effect of SQL injection. In this way, our database was destroyed. Through the SQL injection, is the hacker obtains the database internal information one kind of method, for our system security, we need to do the protection.

how to avoid:for this type of SQL injection, the effective way is to use the arguments for SQL statements without stitching strings.
To Pass a string statement:

public int test ()        {            int res;            using (cmd = new SqlCommand ("INSERT into CategoryInfo (name) VALUES (@caName)", Getconn ()))            {                cmd. Parameters. ADD (New SqlParameter ("@caName", "SQL Injection succeeded"));                res = cmd. ExecuteNonQuery ();            }            return res;        }

To pass the parameter instead:

public int test ()        {            int res;            using (cmd = new SqlCommand ("INSERT into CategoryInfo (name) VALUES (@caName)", Getconn ()))            {                cmd. Parameters.Add (New SqlParameter ("@caName", "Entertainment News") Delete categoryinfo where id=4--"));//sql injection failed                res = cmd. ExecuteNonQuery ();            }            return res;        }

This is just a way to avoid it.
What kind of protection do we need to do at ordinary times?
1. Restrict the user from incorrect format input.
2. Convert the special characters. That is, "'" is no longer "'" when the SQL statement is run, it may be a number, so there is no more confusion about the SQL statement.
3. When an error occurs, minimize the amount of information. It is a good idea to wrap the error message. Because the professional people can according to the yellow pages of the newspaper analysis of what tables in the library and other information ...
4. Encrypt the important information. So as not to leak easily.
5. Do not stitch strings ...    ......

This is something I can think of a special basis for prevention-certainly there are more advanced means. This also requires us to continue to explore!     

"ASP."--sql Injection