SQL Injection principle overview _ dynamic node Java school arrangement, sqljava
1. What is SQL injection?
SQL injection is to insert SQL commands into Web forms to submit or input query strings for domain names or page requests, and finally fool the server to execute malicious SQL commands, for example, most of the previous VIP member passwords leaked by many video websites are exposed by submitting query characters through WEB forms. Such forms are particularly vulnerable to SQL injection attacks. when an application uses the input content to construct a dynamic SQL statement to access the database, an SQL injection attack occurs. If the Code uses stored procedures, which are passed as strings containing unfiltered user input, SQL Injection also occurs. Hackers can gain access to the website database through SQL injection attacks, and then they can obtain all the data in the website database, malicious hackers can use SQL injection to tamper with the data in the database and even destroy the data in the database. As a web developer, you hate this kind of hacker behavior. Of course, you also need to understand the principles of SQL injection and learn how to protect your website database through code.
Ii. Causes of SQL Injection
SQL injection attacks are attacks that use design vulnerabilities to run SQL statements on the target server and other methods, when a dynamic SQL statement is generated, user input data is not verified, which is the main cause of the successful SQL injection attacks. For JDBC connection to a java database, SQL injection attacks are only valid for Statement and invalid for PreparedStatement because PreparedStatement does not allow you to change the logical structure of the query at different insertion times.
If the SQL statement used to verify the existence of a user is:
UserName 'and pswd ='
Password
If you enter:'or 1=1
Or enter the following in the password field:'or 1=1
Verification will be bypassed, but this method is only valid for Statement and not for PreparedStatement. Relatively Statement has the following advantages:
1. Protection against injection attacks
2. Fast Running multiple times
3. Prevent database Buffer Overflow
4. Good code readability and maintainability
These four points make the PreparedStatement the first choice for accessing database Statement objects. The disadvantage is that the flexibility is not good enough. In some cases, the Statement must be used.
Iii. Principles of SQL Injection
Next, let's take a look at the principles of SQL injection to give readers a perceptual understanding of SQL injection attacks. The principles of other attacks are consistent.
SQL Injection allows attackers to bypass the authentication mechanism and completely control databases on remote servers. SQL is short for the structured query language. It is the de facto standard for database access. Currently, most Web applications use SQL databases to store application data. Almost all Web applications use a SQL database in the background. Like most languages, SQL syntax allows database commands to be mixed with user data. If developers are not careful, user data may be interpreted as commands. In this way, remote users can not only input data to Web applications, you can also execute arbitrary commands on the database.
There are two main types of SQL injection attacks. First, the code is directly inserted into the user input variables that are connected to the SQL command and executed. The above example uses this method. Because it is directly bundled with SQL statements, it is also called the direct injection attack method. The second is an indirect attack method, which injects malicious code into a table or serves as a string for storing the original data. The stored string is connected to a dynamic SQL command to execute malicious SQL code. The injection process works by terminating the text string in advance and then appending a new command. Take direct injection attacks as an example. When you enter a variable, use a semicolon to end the current statement. Then insert a malicious SQL statement. Because the inserted command may append other strings before execution, attackers often use annotations to mark "-" to terminate the injected strings. During execution, the system considers the subsequent statement bit comments, so the subsequent text will be ignored and compilation and execution will not be carried back.
Iv. Simple examples of SQL injection attacks:
Here is a common example to briefly describe the principles of SQL injection. Suppose we have a users table, which contains two fields: username and password. In our java code, beginners are used to using SQL concatenation for user verification. For example
:"select id from users where username = '"+username +"' and password = '" + password +"'
"The username and password here are the data we obtain from the web form. Next let's look at a simple injection. If we enter 'or 1 = 1 -- In the username input box of the form, enter something in the password form. If we enter 123 here. the SQL statement we want to execute becomesselect id from users where username = '' or 1=1-- and password = '123'
Let's take a look at this SQL statement, because 1 = 1 is true, and the and password = '20160301' is commented out later. Therefore, SQL verification is skipped. Here is just a simple example. There are still many ways to inject SQL statements. If you are interested, you can study them more deeply.
Summary
The above is a brief introduction to the SQL Injection principle introduced by xiaobian. I hope it will help you. If you have any questions, please leave a message and I will reply to you in a timely manner. Thank you very much for your support for the help House website!