1. What is SQL injection
SQL injection, by inserting a SQL command into a form form to submit or entering a query string for a domain name or page request, eventually achieves a malicious SQL command by tricking the server into executing. Construct smart SQL statements by submitting parameters to successfully obtain the data you want.
2. Types of SQL injection
In particular, SQL injection can be divided into five categories: digital injection, character injection, search-type injection (like), in-type injection, sentence-language connection injection.
From the application, pay special attention to the IP, search, bulk Delete, from the database to the database and other places of SQL injection.
3, how to do the injection
Let's look at a typical example
1SqlCommand cmd = new SqlCommand ("SELECT * from pe_users WHERE UserName = '"
Since no validation is performed on username and password, if username= "admin" or 1=1--"
The SQL statements executed are as follows:
This results in SQL injection, the condition is always true, and no password can be used to log on successfully.
4. How to prevent SQL injection
1. Filter or convert suspicious strings
Prevent SQL injection by writing a function that filters or transforms a dangerous string, and then global.asax or overrides the context instance
Here's an example.
1public static bool SqlFilter2 (string InText)Two, Global.asax
1protected void Application_BeginRequest (Object sender, EventArgs e)Pros: This is the kind of aspect that most novice programmers use to prevent SQL injection, and look good to prevent injection in most cases.
Cons: 1. Filters some characters that are not intended to be injected, causing unexpected problems. For example, a forum member name, if it contains characters with the same filter characters, will cause some unexpected problems and trouble.
2. Need to filter or convert every time, reduce program efficiency
2. Using stored procedures for parameterized queries
The main purpose of SQL injection is to commit malicious SQL code in order to execute malicious commands in the database. As a result, SQL injection can be effectively prevented as long as it is processed before executing the SQL command. Parameterized queries can be used to effectively prevent SQL injection.
Instance
1const string strSQL = "SELECT * from [pe_users] WHERE UserName = @UserName";It has a parameter @username, which uses the Prarmeter object to add parameters to the Command object,
This gives you a parameterized query.
As the above statement, ADO sends the following SQL statement to SQL Server:
SQL Server replaces the @username with the string "name" before executing the query.
Suppose you have the following input:
Dbtye or SqlDbType can be a variety of data types.
You can choose according to your data type.
In some places, it is also possible to specify the length of the parameter: int size. This can also effectively prevent database overflow and SQL note
into the possibilities.
Advantage: Effectively prevents SQL injection from being generated.
Cons: Some places cannot be applied, such as in.
3. White list
Describe:
For some known parameter ranges, the white list can be used in the form of processing, to have to prevent SQL injection and query out
Error, such as: ORDER by + column name, column name in the form of parameters, you can make a white list, first determine the parameters
The number is in the whitelist, then the query, or error processing.
Advantages: Safe and reliable
Cons: Small application Range
Transfer from http://www.cnblogs.com/taizhouxiaoba/archive/2009/02/11/1388228.html
The anti-SQL injection of ASP.
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
