Talking about the anti-SQL injection of PHP website

Source: Internet
Author: User
Tags http cookie php website postgresql prepare sql injection sql injection attack

SQL (Structured Query Language) is a structured query language. SQL injection, which is the insertion of SQL commands into the query string of the Web form's input domain or page request parameters, causes the database server to execute a malicious SQL if the server side does not rigorously validate the validity and legality of the parameters when the Web table is submitted by a one-way Web server for a GET or POST request Make.

The process of SQL injection attacks:

(1) Determine if the WEB application is capable of SQL injection.

(2) Find the SQL injection point.

(3) Guess the user name and password.

(4) Look for the WEB system Management background portal.

(5) implementation of intrusion and destruction.

One, SQL injection Vulnerability test Tool 1. Sqlmap

SQLMAP is an automated SQL injection tool whose main function is to scan, discover and exploit the SQL injection vulnerability of a given URL, and the recently supported databases are MS SQL Server, MySQL, Oracle and PostgreSQL. SQLMAP employs four unique SQL injection techniques, namely blind inference SQL injection, UNION query SQL injection, heap query, and time-based SQL blind injection. Its wide range of features and options include database fingerprinting, enumeration, database extraction, access to the target file system, and arbitrary commands when obtaining full operational privileges.

1.1 Sqlmap Common Command Introduction

Target: At least one of the options needs to be set to set the destination URL.

-D Direct connects directly to the database.

-u URL,--url=url destination URL.

Request: These options can be used to specify how to connect to the destination URL.

――data=data the data string sent via POST.

――cookie=cookie HTTP Cookie header.

Optimization (Optimization): These options can be used to optimize the performance of Sqlmap.

-O Account All optimization switches

--threads=threads maximum HTTP (S) request concurrency (default is 1).

Injection (INJECTION): These options can be used to specify which parameters to test.

-p testparameter parameters that can be tested.

--prefix=prefix injects a payload string prefix.

2 Sqlier

Sqlier can find a URL with a SQL injection vulnerability on the site and generate a exploit for SQL injection vulnerability based on information, but it does not require user interaction. In this way, it can generate a union select query, which in turn can forcefully attack the database password. This program does not use quotes when exploiting vulnerabilities, which means it adapts to a variety of web sites.

Sqlier through the "true/false" SQL injection vulnerability brute force password. With the help of the "true/false" SQL injection Vulnerability brute force password, the user cannot query the data from the database and can only query a statement that returns a value of "true" and "false".

According to statistics, a eight-character password (including any character in the decimal ASCII code) can be cracked in about 1 minutes.

2.1 Its use syntax is as follows, Sqlier [options] [URL]

The options are as follows:

-C: [host] clears the host's exploit information

-S: Number of seconds to wait between Web requests

-u:[user Name] A brute force attack user name from the database, separated by commas

-w:[[options] to wget

In addition, this program supports guessing field names and has the following options:

--table-names [table name]: A table name that can be guessed, separated by commas

--user-fields[user Fields]: The name of the user name field that can be guessed, separated by commas

--pass-fields [Password field]: The name of the password field that can be guessed, separated by commas

3 Pangolin

Pangolin is a security tool that helps penetration testers perform SQL injection (SQL Injeciton) testing. Pangolin and Jsky (Web application Vulnerability scanner, Web Application Security Assessment tool) are the products of NOSEC Corporation. Pangolin has a friendly graphical interface and supports testing of almost any database (Access, MSSQL, MYSQL, Oracle, Informix, DB2, Sybase, PostgreSQL, Sqlite). The pangolin is able to achieve maximum attack test results with a very simple set of operations. It gives the test steps from the beginning of the detection injection to the final control target system. Pangolin is the most current security software for SQL injection testing with the highest utilization rate in the country.

II. prevention of SQL injection attacks 1. Filter input data (filter input)

A) for situations where SQL queries are constructed dynamically, you can use alternate characters and methods to remove special characters.

b) Check the legality of user input and prevent illegal data entry. Data checks should be performed on both the client and server side. Server-side validation is performed to compensate for deficiencies in the client authentication mechanism.

c) Limit the length range entered by the form or query string.

d) Encrypt data such as user login name, password, etc.

2. Escaping data sent to the database (escape output)

Try to use the escape function designed for your custom database. If not, using the function addslashes () is a good method, and it is better to use the Mysql_real_escape_string function for string arguments and to force filtering with the Intval,floatval function for numeric parameters. When all the data used to create an SQL statement is properly filtered and escaped, the risk of SQL injection is actually avoided.

3. Parametric query

parameterized queries (parameterized query) refers to the fact that a WEB program uses parameters to pass to a value when it implements a database query, avoiding direct assignment where a value or data needs to be committed.

Using parameterized query techniques, the database server does not treat the contents of the parameters as an integral part of the SQL instructions, and then loads the parameters after the database system has completed compiling the SQL instructions. Therefore, even if the parameter contains instructions, it will not be run by the database compilation.

4. Using Stored Procedures

Stored procedures are stored inside the database system and are used by the WEB application to execute stored procedures that allow user-defined variables, conditional execution, and other rich programming capabilities. The program developer uses the stored procedure to build the SQL query statement code in advance and then transmits the values through the parameters in use. Stored procedures play a three-point security role: First, the stored procedure is pre-compiled before execution, the compilation error is not executed, and secondly, the authorization access to the data is based on the stored procedure rather than directly accessing the base table, and the attacker cannot detect the SELECT statement; Stored procedures can specify and validate user-supplied value types.

However, there are some limitations to stored procedures, and if the commands executed in the stored procedure are stitching strings, there is a risk of being injected into the attack. In addition, the stored procedure does not support all database platforms.

5. Connect to the database using PDO

The best way to prevent SQL injection is not to set SQL commands and parameters yourself, but to use PDO's prepare and bind, which is to separate the SQL query commands from the parameters passed. When using prepare, DB Server parses SQL statements into SQL commands. When using bind, just dynamically pass the SQL command parsed by the DB server.

Iii. Summary

In addition to the above introduction of the prevention of SQL injection attack methods, there are URL reset technology, page static, masking error messages, using the Web application firewall and other measures. With these measures, SQL injection can be proactive.

Talking about the anti-SQL injection of PHP website

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.