With the development of B/S application development, more and more programmers are writing applications using this mode. However, due to the low entry threshold in this industry, the programmer's level and experience are also uneven. A considerable number of programmers did not judge the legitimacy of user input data when writing code, application security risks. You can submit a piece of database query code and obtain the desired data based on the results returned by the program. This is called SQL Injection ).
SQL injection is a conventional attack that allows some unscrupulous users to retrieve your data, change server settings, or blacklist your server when you are not careful. SQL injection attacks are not SQL Server problems, but inappropriate programs. If you want to run these programs, you must understand that this is at risk.
I. Principles
Before learning about SQL injection, you must first understand some basic knowledge about B/S mode applications and the interaction between browsers and servers. According to national conditions, ASP + Access or SQL Server accounts for more than 70% of Chinese websites, PHP + MySQL accounts for 20%, and others account for less than 10%. For the application structure of ASP + SQL Server, an ASP program is actually a client of SQL Server. It requires a valid SQL login name and password to connect to the SQL Server database. The following code is a typical example of connecting to SQL SERVER in ASP:
<% RServer = "IBM-WEB-01" 'sets the SQL SERVER address
RUid = "webuser" 'sets the SQL SERVER login name
RPwd = "xxxxxxxxf" 'set the SQL SERVER logon password
RDatabase = "sitelog" 'sets the SQL SERVER database name
Set conn = Server. CreateObject ("ADODB. Connection ")
Strconn = "driver = {SQL server}; server =" & rServer & "; uid =" & rUid & "; pwd =" & rPWD & "; database =" & rDatabase
Conn. open strconn %>
The weakness of SQL injection occurs when the program developer constructs a WHERE clause along with user input. For example, the following is a simple ASP program article_show.asp. Its function is to display the document content of the corresponding ID value in the info_article table of the database with the parameter ID obtained by GET.
<% StrID = Trim (Request. QueryString ("ID "))
StrSQL = "select * from info_article where ID =" & strID
Set rs = server. CreateObject ("ADODB. Recordset ")
Rs. open strSQL, conn, 1,3%>
<Table width = "100%" border = "0" cellpadding = "10" cellspacing = "1" class = "table1">
