SQL Injection and prevention, SQL Injection prevention

SQL Injection and prevention, SQL Injection prevention
SQL Injection: SQL Injection refers to inserting SQL commands into Web forms to submit or enter query strings for domain names or page requests. In this way, the server can finally execute malicious SQL commands. Specifically, it uses existing applications to inject (malicious) SQL commands into the background database engine for execution. It can input (malicious) SQL commands in Web forms) SQL statements get a database on a website with security vulnerabilities, instead of executing SQL statements according to the designer's intent.
SQL Injection Method:I. concatenate strings(Enter an SQL statement in the input box to change the original intention.) Select * from T_User where UserID = 'txtuserid. text' andPassword = 'txtpassword. text'
The principle is to find the user name (UserID) and Password in the T_User table for authorized access, in txtUserID. text is mysql, txtPassword. if Text is mary, the SQL query statement is:
Select * from users where username = 'mysql' and password = 'Mary'
If you assign 'or '1' = '1' -- and abc to txtUserID. Text and txtPassword. Text respectively. The preceding statement in the SQL script interpreter is changed:
Select * from T_User where UserID = ''or '1' = '1' -- and Password = 'abc'
The statement has two conditions. If one condition is true, the execution is successful. While '1' = '1' is consistent in the logic judgment, and the "--" next to it indicates the comment, that is, all the statements below are the comment statements, so that we can log on successfully. SQL injection is successful.

Original SQL statement: insert into category (name) values ('"+ caName + "')
In the input box, enter caName = ') select category --')
SQL statement: insert into category (name) values ('entertainment news ') Select category --')
After the SQL statement changes, the insert and query operations will be executed (if the modification is not a query but a deletion operation, it will be even more terrible), that is, the SQL injection is successful.

Ii. View error page information(SQL Server has some system variables, if we do not limit the output of error information, then injection can be directly obtained from the error information) Web site: http://www.xxx.com/Login.aspx? Id = 49 and user> 0 first, the preceding statement is normal, with emphasis on and user> 0. We know that user is a built-in variable of SQL Server, the value is the username of the current connection and the type is nvarchar. Compare the nvarchar value with the int value 0. The system will first try to convert the nvarchar value to the int type. Of course, the conversion process will definitely fail. The SQL Server Error prompt is: A syntax error occurs when converting nvarchar value "abc" to an int column. abc is the value of the variable user. In this way, the user name of the database is obtained, that is, the SQL injection is successful.
SQL Injection prevention:I. Simple defense:1. restrict special characters and length in the input box
2. Set the error prompt page on the Web:
Set in the Web. Config file
<! -- Automatic orientation when an error occurs ("~ /Error.html "is the pop-up page path) -->
<CustomErrors mode = "On" defaultRedirect = "~ /Error.html "> </customErrors>
3. URL rewriting:
URL rewriting is the process of first obtaining an access URL request and then re-writing it into another URL that the website can process. For example, if the URL in the browser is "UserProfile. aspx? ID = 1 ", it can be rewritten to" UserProfile/1. aspx"
Ii. Prevention of SQL statements1. parameterized Query: Parameterized Query or Parameterized Statement refers to the Parameter used when the data is designed to be linked to the database and accessed, where the value or data needs to be filled in).
For example:
Do not use parameterized query:
String SQL = "select * from comment where newsId =" txtnewsId "order by createTime desc ";
Because the "txtnewsId" in the preceding SQL statement is uncertain, you need to re-compile the SQL statement each time you call it. This can be achieved using the concatenated string above for SQL injection.
Use parameterized query:
String SQL = "select * from comment where newsId = @ newsId order by createTime desc ";
SqlParameter [] paras = new SqlParameter [] {new SqlParameter ("@ newsId", newsId )};
Because the preceding SQL statement is fixed, you only need to pass the value of @ newsId during the call. Therefore, even if you enter any information, it will be passed as a value, prevents SQL injection.
2. Write the stored procedure:
In fact, parameterized query is also required in the stored procedure, and the stored procedure itself does not have SQL injection to prevent SQL injection.
3. Restrict Database Access Permissions:
Set special permissions for different users. For example, a user with a username of 1 can only perform query operations. However, after user 1 Information is stolen and logged on, other operations cannot be performed on the table, this ensures data security to a certain extent.

Copyright Disclaimer: This article is an original article by the blogger and cannot be reproduced without the permission of the blogger.