Some simple SQL injection and prevent SQL injection detailed

If the user enters a Web page and inserts it into the MySQL database, there is an opportunity to leave the security issue known as SQL injection open. This lesson will teach you how to help prevent this from happening and help protect scripts and MySQL statements.

Injection typically occurs when processing a user input, such as their name, rather than a name, they give a MySQL statement that will run on your database unconsciously.

Never trust user-supplied data, only validate and then process the data as a rule, which is matched by pattern. In the following example, the user name is limited to the alphanumeric character alphanumeric the length of the underscore between 8 and 20 characters-these rules are modified as needed.

The code is as follows	Copy Code
if (Preg_match ("/^w{8,20}$/", $_get[' username '), $matches)) { $result = mysql_query ("SELECT * from Users" WHERE username= $matches [0] "); } Else { echo "username not accepted"; }

To illustrate this issue, consider this a summary:

The code is as follows	Copy Code
supposed input $name = "Qadir"; DELETE from users; "; mysql_query ("SELECT * from users WHERE name= ' {$name} '");

A function call should match a user-specified retrieval record from the Name column name in the user table. Under normal circumstances, the name contains only alphanumeric characters or spaces, such as the string iliac. But here, for $name, by attaching a whole new query, calling the database into a disaster: injecting the delete query deletes all the records of the user.

Fortunately, if you use MySQL, the mysql_query () function does not allow query stacking, or executes multiple queries in a single function call. If you try to stack a query, the call fails.

Other PHP database extensions, such as SQLite and PostgreSQL, happily carry out heap queries, execute all queries in a string, and create a serious security issue.

Prevent SQL injection:
Can handle all the escape characters in a clever scripting language, such as Perl and PHP. PHP's MySQL extension provides functions mysql_real_escape_string () input to MySQL for special characters to escape.

The code is as follows	Copy Code
if (GET_MAGIC_QUOTES_GPC ()) { $name = Stripslashes ($name); } $name = mysql_real_escape_string ($name); mysql_query ("SELECT * from users WHERE name= ' {$name} '");

Like dilemma:

To solve the like problem, a custom escape mechanism must be supplied by the user with the% and _ characters converted to text. Use the Addcslashes () function to allow you to specify a character range escape.

The code is as follows	Copy Code
$sub = Addcslashes (mysql_real_escape_string ("%something_"), "%_"); $sub = =%something_ mysql_query ("SELECT * from messages WHERE subject like ' {$sub}% '");

The above is just very simple, below see some commonly used injection

The judgment of SQL injection Vulnerability

In general, SQL injection generally exists in the form of such as: HTTP://xxx.xxx.xxx/abc.asp?id=XX ASP Dynamic Web pages with parameters, sometimes a Dynamic Web page may have only one parameter, sometimes there may be n parameters, sometimes an integer parameter, sometimes a string of parameters , can not generalize. In short, as long as it is a dynamic page with parameters and this page accesses the database, there is a possibility of SQL injection. If an ASP programmer does not have security awareness and does not perform the necessary character filtering, there is a high likelihood of SQL injection.

In order to fully understand the dynamic Web response information, first of all, please adjust IE configuration. Put the IE menu-tool-internet Option-advanced-Show friendly HTTP error messages in front of the hook to remove.

In order to explain the problem clearly, the following take HTTP://xxx.xxx.xxx/abc.asp?p=YY as an example of analysis, YY may be integral type, but also may be a string.

1, the judgment of the parameter of the whole type

When the input argument yy is an integral type, the SQL statement typically looks like this in abc.asp:

SELECT * from table name where field =yy, so you can test the existence of SQL injection with the following steps.

①http://xxx.xxx.xxx/abc.asp?p=yy ' (append a single quote), at this time ABC. The SQL statement in ASP becomes a

SELECT * from table name where Field =yy ', abc.asp run exception;

②http://xxx.xxx.xxx/abc.asp?p=yy and 1=1, the abc.asp runs normally, and is the same as the HTTP://xxx.xxx.xxx/abc.asp?p=YY operation result;

③http://xxx.xxx.xxx/abc.asp?p=yy and 1=2, abc.asp run abnormally;

If the above three steps are fully met, there must be a SQL injection vulnerability in abc.asp.

2, the judgement of the string type parameter

When the input argument yy is a string, the SQL statement typically looks like this in abc.asp:

SELECT * from table name where field = ' YY ', you can use the following procedure to test whether the SQL injection exists.

①http://xxx.xxx.xxx/abc.asp?p=yy ' (append a single quote), at this time ABC. The SQL statement in ASP becomes a

SELECT * from table name where Field =yy ', abc.asp run exception;

②http://xxx.xxx.xxx/abc.asp?p=yy&nb ... 39;1 ' = ' 1 ', the abc.asp runs normally, and the result is the same as HTTP://xxx.xxx.xxx/abc.asp?p=YY;

③http://xxx.xxx.xxx/abc.asp?p=yy&nb ... 39;1 ' = ' 2 ', abc.asp run abnormally;

If the above three steps are fully met, there must be a SQL injection vulnerability in abc.asp.

3, special circumstances of the treatment

Sometimes ASP programmers filter out single quotes and other characters in the programmer to prevent SQL injection. You can try this at this point in several ways.

① size Blending method: Because VBS is not case-sensitive, programmers often filter all uppercase strings or filter lowercase strings all at once, while case-by-case blending is often overlooked. such as using a select instead of Select,select;

②unicode: In IIS, internationalization is done in the Unicode character set, and we can enter the string into a Unicode string that is entered in IE. such as + =%2b, space =%20 and so on; UrlEncode information see annex I;

③ascii Code method: The input of some or all of the characters can be replaced by ASCII code, such as U=CHR, A=CHR (97), etc., ASCII information see annex II;

II. Analysis of database server types

In general, access and Sql-server are the most commonly used database servers, and although they all support T-SQL standards, there are differences, and different databases have different methods of attack and must be treated differently.

1, using the database server system variables to distinguish

Sql-server has User,db_name () and other system variables, the use of these system values can not only judge the Sql-server, but also can get a lot of useful information. Such as:

①http://xxx.xxx.xxx/abc.asp?p=yy and user>0 can not only determine whether it is sql-server, but also get the user name currently connected to the database

②http://xxx.xxx.xxx/abc.asp?p=yy&n db_name () >0 can not only determine whether it is sql-server, but also can get the name of the database currently in use;

2, the use of system tables

Access's system tables are msysobjects and do not have access rights in the Web environment, and sql-server system tables are sysobjects and have access under the Web environment. For the following two statements:

①http://xxx.xxx.xxx/abc.asp?p=yy and (select COUNT (*) from sysobjects) >0

②http://xxx.xxx.xxx/abc.asp?p=yy and (select COUNT (*) from msysobjects) >0

If the database is Sql-serve, then the first one, abc.asp must run normally, the second is abnormal; if access is two, it will be abnormal.