Three steps to block SQL Server Injection Vulnerability _mssql

Source: Internet
Author: User
Tags sql injection sql server injection
What is SQL injection?

Many web site programs in the writing, the user does not have to judge the legality of input data, so that the application has security problems. Users can submit a database query code (usually in the browser address bar, through the normal WWW port access), according to the results returned by the program to obtain some of the data, which is called SQL injection, that is, SQL injection.

website Nightmare ――sql injected

SQL injection modifies the Web site database through a Web page. It is able to add users with administrator privileges directly to the database, thereby ultimately gaining system administrator privileges. Hackers can use the access to the administrator's access to the Web site files or add a Trojan horse and a variety of malicious programs on the Web site and access to the site's users have caused great harm.

how to defend against SQL injection

The first step: many beginners download the SQL Universal Anti-injection system from the Internet program, in the need to prevent injection of the head of the page to protect others from manual injection test.

However, if you pass the SQL Injection Analyzer, you can easily skip the anti-injection system and automatically analyze its injection point. Then it only takes a few minutes for your administrator account and password to be parsed.

The second step: for the injection analyzer to prevent, the author through experiments, found a simple and effective method of prevention. First we need to know how the SQL Injection Analyzer works. In the process, the discovery software is not directed to the "admin" Administrator account, but directed to the authority (such as flag=1) to go. This way, no matter how your administrator account changes can not escape detection.

The third step: since can not escape detection, then we do two accounts, one is the ordinary administrator account, one is to prevent injection of the account number, why so say? I think, if you find a maximum number of permissions to create an illusion, to attract software detection, and this account is more than thousands of characters in the content of Chinese characters, It will force the software to analyze the account when it enters the full load state and even the resources are exhausted and freezes. Let's revise the database below.

1. Modify the structure of the table. The Administrator's Account field data type changes, text type to the Maximum field 255 (in fact, enough, if you want to do a larger point, you can choose a note type), the field of the password is also set.

2. Modify the table. Set an account with administrator privileges in ID1 and enter a large number of Chinese characters (preferably greater than 100 characters).

3. Place the real admin password in any position after ID2 (for example, on ID549).

We have completed the modification of the database through the three steps above.

Is this the end of the change? In fact, to understand that you do ID1 account is actually a permission account, and now the computer processing speed so fast, if you meet the last must be calculated out of the software, this is not safe. I think most people have come up with a way, yes, just write the character limit in the paging file that the administrator logs on to. Even if the other person uses this thousands of characters of the account password will be blocked, and the real password can be unrestricted.
Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.