SQL injection definition, rationale, attack, and protection

First, the definition

SQL injection, by inserting a SQL command into a Web form to submit or entering a query string for a domain name or page request, eventually achieves a malicious SQL command that deceives the server. Specifically, it is the ability to inject (malicious) SQL commands into the background database engine execution using existing applications, which can be obtained by entering (malicious) SQL statements in a Web form to a database on a Web site that has a security vulnerability, rather than executing the SQL statement as the designer intended. For example, many of the previous film and television sites leaked VIP membership password is mostly through the Web form to submit query characters, such forms are particularly vulnerable to SQL injection attacks.

Second, the principle

The SQL injection attack refers to the introduction of a special input as a parameter to the Web application, which is mostly a combination of SQL syntax, the execution of SQL statements to perform the actions of the attacker, the main reason is that the program does not carefully filter the user input data, resulting in illegal data intrusion system.

According to the relevant technology principle, SQL injection can be divided into platform layer injection and Code layer injection. The former is caused by an insecure database configuration or a vulnerability to a database platform, which is mainly due to the fact that the programmer has not carefully filtered the input, thus executing the illegal data query. Based on this, the cause of SQL injection usually manifests in the following aspects:

① inappropriate types of treatment;

② insecure database configuration;

③ the unreasonable query set processing;

④ improper handling of errors;

⑤ escape character processing is not appropriate;

⑥ multiple commits are improperly handled.

Third, attack

SQL injection attacks occur when an application constructs a dynamic SQL statement to access the database by using the input content. SQL injection can also occur if the code uses stored procedures that are passed as strings that contain unfiltered user input. SQL injection may result in an attacker using an application to log in to execute commands in the database. The associated SQL injection can be done through the test tool pangolin. This can become a serious problem if your application connects to the database using an account that is too privileged. In some forms, user-entered content is used directly to construct dynamic SQL commands, or as input parameters in stored procedures, which are particularly susceptible to SQL injection attacks. While many web-site programs are written, there is no judgment on the legality of user input or improper handling of the variables in the program, which makes the application security hidden trouble. In this way, the user can submit a database query code, according to the results returned by the program to obtain some sensitive information or control the entire server, so SQL injection occurs.

Iv. Protection

To summarize, the main points are as follows:

1. Never trust the user's input. The user's input can be verified by regular expressions or by limiting the length, by converting the single quotation mark and the double "-".

2. Never use dynamically assembled SQL, either using parameterized SQL or directly using stored procedures for data query access.

3. Never use a database connection with administrator rights, and use a separate limited database connection for each app.

4. Do not store confidential information directly, encrypt or hash out passwords and sensitive information.

5. The exception information applied should give as few hints as possible, preferably using a custom error message to wrap the original error message.

Copyright NOTICE: This article for Bo Master original article, without Bo Master permission not reproduced.

SQL injection definition, rationale, attack, and protection