During website development, we may have a security problem. I will introduce some common SQL injection attack methods. For more information, see.
1. escape characters are not properly filtered
When user input does not have escape character filtering, this form of injection or attack will occur and it will be passed to an SQL statement. In this way, the end user of the application performs operations on the statements in the database. For example, the following line of code demonstrates this vulnerability:
The Code is as follows: |
Copy code |
"SELECT * FROM users WHERE name = '" + userName + "';" |
This Code is designed to extract a specific user from its user table. However, if the user name is forged by a malicious user in a specific way, the operations executed by this statement may not be what the code author expects. For example, if you set the username variable (that is, username) to a 'or' t' = 't, the original statement changes:
The Code is as follows: |
Copy code |
SELECT * FROM users WHERE name = 'A' OR 'T' = 'T '; |
If this code is used in an authentication process, this example forces you to select a valid user name, because the value 'T' = 't' is always correct.
On Some SQL servers, for example, in SQL Server, any SQL command can be injected using this method, including executing multiple statements. The username value in the following statement will cause deletion of the "users" table, and all data can be selected from the "data" table (actually, the information of each user is disclosed ).
The Code is as follows: |
Copy code |
A'; drop table users; SELECT * FROM data WHERE name LIKE '% |
Make the final SQL statement look like the following:
The Code is as follows: |
Copy code |
SELECT * FROM users WHERE name = 'a'; drop table users; SELECT * FROM data WHERE name LIKE '% '; |
Other SQL statements do not use multiple commands in the same query as a security measure. This prevents attackers from injecting completely independent queries, but does not prevent attackers from modifying queries.
2. Incorrect type handling
If a field provided by a user is not a strong type, or the type is not enforced, this form of attack will be sent. When a numeric field is used in an SQL statement, this attack occurs if the programmer does not check the validity of user input (whether it is a numeric type. For example:
The Code is as follows: |
Copy code |
"SELECT * FROM data WHERE id =" + a_variable + ";" |
From this statement, we can see that the author wants a_variable to be a number related to the "id" field. However, if the terminal selects a string, it bypasses the need for escape characters. For example, if you set a_variable to: 1; drop table users, it will delete the "users" TABLE from the database and change the SQL statement:
The Code is as follows: |
Copy code |
SELECT * FROM data WHERE id = 1; drop table users; |
3. Database Server Vulnerabilities
Sometimes, database server software also has vulnerabilities, such as the mysql_real_escape_string () function vulnerability in MYSQL servers. This vulnerability allows an attacker to execute a successful SQL Injection Attack Based on the wrong unified character encoding.
4. Blind SQL injection attacks
When a Web application is vulnerable to attacks and its results are invisible to attackers, a so-called blind SQL injection attack occurs. Web pages with vulnerabilities may not display data, but different contents are displayed based on the results of logical statements injected into valid statements. This attack is time-consuming because a new statement must be carefully constructed for each byte obtained. However, once the vulnerability location and target information location are established, a tool called Absinthe can automate this attack.
5. Conditional response
Note that there is an SQL injection that forces the database to calculate the value of a logical statement on a normal application screen:
The Code is as follows: |
Copy code |
SELECT booktitle FROM booklist WHERE bookId = 'ok14cd' AND 1 = 1 |
This will lead to a standard image, and the statement
SELECT booktitle FROM booklist WHERE bookId = 'ok14cd' AND 1 = 2 when the page is vulnerable to SQL injection attacks, it may give a different result. Such an injection will prove that blind SQL injection is possible. It will allow attackers to design a statement that can judge the authenticity of a field in another table.
6. Conditional errors
If the WHERE statement is true, this type of blind SQL injection will force the database to judge a wrong statement, resulting in an SQL error. For example:
The Code is as follows: |
Copy code |
SELECT 1/0 FROM users WHERE username = 'ralph '. |
Apparently, if the user Ralph exists, Division by zero will lead to an error.
7. Time Delay
Time delay is a blind SQL injection. According to the injection logic, it can cause the SQL engine to execute a long queue or iyige Time Delay statement. Attackers can measure the page loading time to determine whether the injected statement is true.
The above is only a rough classification of SQL attacks. However, technically speaking, today's SQL Injection attackers are more intelligent and comprehensive in how to identify websites with vulnerabilities. Some new SQL attack methods have emerged. Hackers can use various tools to accelerate the vulnerability exploitation process. Let's take a look at the Asprox Trojan, which is mainly spread through a botnet that publishes emails. the entire working process can be described as follows: first, install the Trojan on the computer through Spam Sent by the controlled host. Then, the computer infected with the trojan will download a piece of binary code. When the trojan is started, it uses seo/seo.html "target =" _ blank "> search engines to search for vulnerable websites with Microsoft ASP technology. The search result becomes a list of targets for SQL injection attacks. Then, this trojan will launch SQL injection attacks to these sites, so that some websites are under control and damaged. Users who access these controlled and corrupt websites will be deceived and download malicious JavaScript code from another site. Finally, this code directs the user to the third site, where more malware, such as password-stealing Trojans, are available.
In the past, we often warned or suggested Web application programmers to test and patch their code, although the chances of detecting and using SQL injection vulnerabilities are not too high. However, more and more attackers have recently discovered and maliciously exploited these vulnerabilities. Therefore, before deploying the software, developers should take the initiative to test its code and patch the code immediately after a new vulnerability occurs.
For example, some people may use this method in the login window to bypass login. If your query username and password are in the same format:
The Code is as follows: |
Copy code |
[Code = 'SQL'] SELECT * FROM users WHERE username = {username} AND Password = {password} [/Code] You can use any user name and password: [Code = 'SQL'] 'OR ''='' [/code] In this way, the MySQL query for your authentication username and password becomes: [Code = 'SQL'] SELECT * FROM users WHERE username = 'anyuser' AND Password = ''OR'' ='' [/Code]
|
Because an empty string is always equal to an empty string, the query conditions are always true. Therefore, we can see that the risk of MySQL injection is still very high, because attackers can see the data that should have been accessed through login. It is very important to prevent your website from injection attacks. Fortunately, PHP can help us prevent injection attacks.
MySQL returns all rows in the Table. According to your program logic, all users may log on to the table because they are matched. Now, in most cases, people will open the magic_quotes_gpc option (which is also the default condition of PHP). This configuration will automatically add a backslash and escape all '(single quotes ), "(double quotation marks), (backslash), and null characters. However, this is not a simple solution, because not all characters that may cause risks are escaped. PHP has a function that can escape all MySQL characters that may lead to redundant SQL clauses. This function is mysql_real_escape_string ().
Be careful when using this function, because you may have enabled the magic_quotes_gpc option. Using mysql_real_escape_string () will cause the second escape. The following function avoids this problem. First, Judge
Whether the magic_quotes_gpc option is enabled, and then decide whether to execute mysql_real_escape_string ().
[Code = 'php']
The Code is as follows: |
Copy code |
// Enclose variables with quotation marks to ensure security Function quote_smart ($ value) { $ Link = mysql_connect ('mysql _ host', 'mysql _ user', 'mysql _ password '); // Escape If (get_magic_quotes_gpc ()) { $ Value = stripslashes ($ value ); } // Quote all non-Numbers If (! Is_numeric ($ value )) { $ Value = "'". mysql_real_escape_string ($ value, $ link )."'"; } Return $ value; } ?> |
[/Code]
Note that the quote_smart () function automatically quotes the string, so you do not need to add it yourself.
Note that, because different MySQL versions have different filtering requirements, mysql_real_escape_string () requires a MySQL connection to work. Therefore, the second parameter must be passed into a MySQL connection. This parameter can be omitted when MySQL is installed on the local machine. However, if MySQL is not installed on the local machine or is remotely connected to MySQL, this parameter is required. Otherwise, mysql_real_escape_string () returns an empty string.