SQL Server injection prevention methods.
SQL Server injection prevention methods.
What is SQL injection?
Many website programs do not judge the validity of user input data when writing, which poses security risks to applications. You can submit a piece of database query code (usually in the address bar of a browser and access through the normal www port) to obtain the desired data based on the results returned by the program, this is the so-called SQL Injection, that is, SQL Injection.
Website nightmare-SQL Injection
SQL Injection modifies the website database through the web page. It can directly add users with administrator permissions to the database to ultimately obtain system administrator permissions. Attackers can use the administrator privilege to obtain files on the website or add Trojans and malicious programs to the webpage, which brings great harm to the website and netizens who access the website.
Defense Against SQL Injection
Step 1: many new users download SQL universal anti-injection system programs from the Internet and use them in the header of the page to prevent manual injection tests.
However, if you use the SQL injection analyzer, you can easily skip the anti-injection system and automatically analyze its injection points. Then, it takes several minutes for your administrator account and password to be analyzed.
Step 2: For the prevention of injection analyzer, the author found a simple and effective prevention method through experiments. First, we need to know how the SQL injection analyzer works. During the operation, it is found that the software is not directed to the "admin" Administrator account, but to permissions (such as flag = 1. In this way, no matter how your administrator account changes, it cannot be detected.
Step 3: since we cannot escape the test, we have two accounts, one being a common Administrator Account and the other being an account that prevents injection. Why do we say this? I think, if you look for an account with the largest permissions to create an illusion and attract software testing, and the content in this account is more than a thousand Chinese characters, this forces the software to analyze the account and even run out of resources, causing it to crash. Let's modify the database.
1. Modify the table structure. Modify the Data Type of the Administrator's account field, and change the text type to the maximum field 255 (in fact, It is enough. If you want to increase the value, you can select the remarks type ), the password field is also set.
2. Modify the table. Set the account with administrator permissions to id1. enter a large number of Chinese characters (preferably more than 100 characters ).
3. Place the real administrator password in any location after id2 ).
The preceding three steps are used to modify the database.
Is the modification finished? Otherwise, you must understand that the ID1 account you created is actually an account with real permissions. Now the computer processing speed is so fast. If you encounter a software that must be computed, this is also insecure. I think most people have come up with a solution, right, as long as you write character restrictions in the administrator login page file! Even if the other party uses this account password with thousands of characters, it will be blocked, and the real password can be unrestricted.