Useful techniques for preventing or mitigating SQL injection attacks

SQL injection attacks pose a huge potential threat to enterprise security. Once this attack succeeds, hackers can use it to harm your network, access your data, and even control your computer.

What is SQL injection?

The principle of SQL injection is very simple. When the application regards customer data as an input, those with bad intentions will have the opportunity to inject deliberately written data, which will cause the input behavior to become part of the SQL query.

SQL injection is a query string that inserts an SQL command into a Web form to submit or input a domain name or page request, and finally deceives the server to execute malicious SQL commands, for example, most of the previous VIP member passwords leaked by many video websites are exposed by submitting query characters through WEB forms. Such forms are particularly vulnerable to SQL injection attacks.

When an application uses the input content to construct a dynamic SQL statement to access the database, an SQL injection attack occurs. If the Code uses stored procedures, which are passed as strings containing unfiltered user input, SQL Injection also occurs. SQL injection may cause attackers to log on to the database and execute commands. This problem can become very serious if applications connect to the database using a privileged account. In some forms, the content entered by users is directly used to construct (or affect) dynamic SQL commands, or as input parameters of stored procedures. These forms are particularly vulnerable to SQL injection attacks. Many website programs do not judge the legality of user input or improperly process the variables in the program, which causes security risks to the application. In this way, the user can submit a piece of database query code and obtain sensitive information or control the entire server based on the results returned by the program, so SQL Injection occurs.

For example, the following code column is used as an example:

SELECT * FROM Users WHERE Username = $ username AND Password = $ password

This code is used to display the user name and password records in the user list. On the Web page, when the system prompts you to enter the user name and password, the hacker may enter:

1 or 1 = 1

1 or 1 = 1

The result is:

SELECT * FROM Users WHERE Username = 1 OR 1 = 1 AND Password = 1 OR 1 = 1

The hacker has successfully injected the OR condition into the verification process. Worse, condition 1 = 1 is generally true, so this SQL query often causes hackers to bypass the verification process.

Append another query to an existing query with a symbol similar to ";" (this additional query also explains some existing queries ). Hackers may delete your entire list or even change the data in it. Hackers can use commands to control your operating system, manipulate your computer, and use it as an intermediate station to attack other networks. All in all, SQL injection attacks have the following consequences:

Data Privacy loss

Loss of data integrity

Data leakage

Damage the entire network
How can we prevent SQL injection attacks?

The most important thing to do is to clean up data and verify data. Data cleanup refers to running any submitted data (such as MySQL's mysql_real_escape_string () function) through the function to ensure that any threatening characters, such as "'", SQL queries are not input as data.

Verification is different. Verification is to ensure that data is submitted as permitted. In the most basic operations, verification includes ensuring that the email address contains the @ symbol. When verification only accepts integers, only numbers can be provided and the Data Length cannot exceed the maximum. Verification is usually performed in two ways: listing the blacklist of dangerous or undesirable characters, and listing the list of given characters, which requires programmers to spend more time. Although data can be verified on the client, hackers can also modify the data. Therefore, it is necessary for users to verify all data on the server.

However, clearing and verifying data is far from ensuring the security of user data. The following describes ten methods to help you prevent or mitigate SQL injection attacks:

1. Do not trust anyone: If all data submitted by all users is dangerous, all data is verified.

2. Do not use dynamic SQL, including predicate statements, parameterized queries, or saved processes.

3. Updates and patches: vulnerabilities that hackers can exploit through SQL injection are usually found in programs and databases. Therefore, it is necessary to use program patches and updates.

4. Firewall: whether based on software or devices, you can use WAF to filter malicious data. A good firewall has a complete set of default rules, and it is easy to add new rules at any time. A waf can provide effective security protection before patches for new vulnerabilities are released.

5. Reduce attack interface: promptly process database functions to avoid exploitation by hackers. For example, xp_cmdshell extends the stored processes in ms SQL, which leads to a surge in Windows Command Windows and uses a string for execution, which is undoubtedly beneficial to hackers. Windows processes surging by xp_cmdshell have the same priority security permissions as SQL Server service accounts.

6. Use appropriate permissions: do not connect to your database when using administrator-level permissions, unless you have. Using limited account permissions is conducive to data security, and this can also restrict the permissions of hackers.

7. Confidentiality and privacy: assume that your application is not secure and will be adjusted along with encryption operations or hash passwords and other confidential data, including connection strings.

8. Do not disclose too much information: hackers can read a large amount of information about the database architecture from the error information. Therefore, make sure that the error information is as few as possible. The RemoteOnly mermerrors mode displays lengthy error messages on the local computer, so that external hackers can only receive error messages that cannot be operated due to poor operations.

9. Do not forget the fundamental principle: change the password of the application account frequently. Although this is common sense, in real life, it is difficult for many people to change their passwords for months or even years.

10. Buy better software: Before buying the software, let the code writer first check the code and fix security vulnerabilities in the customer's application.