Talking about the problem of injecting vulnerability

1. Analysis

When the client authenticates the login, it sometimes faces the script injection of the string, which may result in the addition of multiple logical operators due to the writing of the SQL string and the "forced matching" of the account password. Or, for example, inserting a malicious script into a website to steal a user's cookie, thereby stealing the customer's information. These issues can lead to user information and security breaches.

It's not hard to prevent SQL injection, but you know the principle. All SQL injections are initiated from the user's input. If you determine and filter all user input, you can prevent SQL injection. There are several types of user input, I would like to talk about common.
text box, address bar in the ***.asp? The id=1 and the like, the Radio box, and so on. General SQL injection is used in the address bar, or in the Password input text box enter 1 ' or ' 1 ' = ' 1 ' or in the User name input box enter ' or 1=1#.

2. Scene Simulation

We enter in the Click event button in the login screen:

1  Private voidBtnlogin_click (Objectsender, EventArgs e)2         {3             //How do I say the landing was successful? 4             //Select COUNT (*) from TBL where Uid=uid and pwd=pwd;5 6             stringUID =TxtUid.Text.Trim ();7             stringPWD = Txtpwd.text;8 9             //Verify ... Ten  One             stringConnStr = configurationmanager.connectionstrings["SQL"]. ConnectionString; A  -             stringsql ="Select COUNT (*) from logintestwithprimary where uid= '"+ UID +"' and pwd= '"+ pwd +"';"; -             intcount; the             using(SqlConnection conn =NewSqlConnection (connstr)) -             { -                 //Execution Object -                 using(SqlCommand cmd =NewSqlCommand (SQL, conn)) +                 { - Conn. Open (); +Count = (int) cmd. ExecuteScalar (); A                 } at             } -             if(Count >0) -             { -MessageBox.Show ("Landing Success"); -             } -             Else in             { -MessageBox.Show ("incorrect user name or password"); to  +             } -}

In this case, enter 1 ' or ' 1 ' = ' 1 in the password-side input box, and no matter what account name we enter, the login success MessageBox will pop up.

In this we can make the following changes:

1 string pwd = TxtPwd.Text.rePlace ("\ '","\ ' \ ') ");

We can also make the following adjustments to the SQL statement parameterized query, so-called parameterization is to be required value of the place, with a parameter variable to describe, that is, the substitution of parameters.

1     stringsql ="Select COUNT (*) from logintestwithprimary where [email protected] and [email protected];";//SQL query Statements2 3             //parameter Assignment4SqlParameter PUid =NewSqlParameter ("@uid123", UID);5SqlParameter ppwd =NewSqlParameter ("@pwd", PWD);6             7             // 8             intcount;9             using(SqlConnection conn =NewSqlConnection (connstr))Ten             { One                 using(SqlCommand cmd =NewSqlCommand (SQL, conn)) A                 { -                     //3 give the parameter to cmd - cmd. Parameters.Add (pUid); the cmd. Parameters.Add (PPWD); -  -  - Conn. Open (); +Count = (int) cmd. ExecuteScalar (); -                 } +             } A  at             if(Count >0) -             { -Console.WriteLine ("Landing Success"); -             } -             Else -             { inConsole.WriteLine ("Login Failed"); -}

3. Conclusion Analysis

Because 1=1 is always true, that is, where clauses are all the same, after the SQL is further simplified, it is equivalent to the following SELECT statement: SELECT COUNT (*) from logintestwithprimary where uid= ' 123 ' and pwd= ' 1 ' or ' 1 ' = ' 1 '. Yes, the purpose of this SQL statement is to retrieve the number of rows affected by all the fields in the Logintestwithprimary table, from which the result is true regardless of what the UID and PWD are, or are done or calculated.

In the case of parameterized queries, the database server does not treat the contents of the parameter as part of the SQL instruction, but only runs the parameters after the database has completed compiling the SQL instructions, so that even if the parameters contain instructions, they will not be run by the database. Commonly used databases such as Access, SQL Server, MySQL, SQLite support parameterized queries. This is also easy to form a specification to use SQL to operate, to avoid the problem of injecting vulnerabilities.

Talking about the problem of injecting vulnerability