What is a SQL injection attack? The so-called SQL injection attack is an attacker inserting a SQL command into a Web form's input domain or a page request query string, tricking the server into executing a malicious SQL command. In some forms, user-entered content is used directly to construct (or influence) dynamic SQL commands, or as input parameters to stored procedures, which are particularly susceptible to SQL injection attacks. Common SQL injection attack process classes such as: ⑴ an ASP. NET Web application has a login page that controls whether the user has access to the app and asks the user to enter a name and password.
The content entered on the ⑵ login page will be used directly to construct a dynamic SQL command, or directly as a parameter to a stored procedure. Here is an example of an asp: System.Text.StringBuilder query = new System.Text.StringBuilder ("SELECT * FROM Users WHERE Login = ' "). Append (Txtlogin.text). Append ("' and Password= '"). Append (txtPassword.Text). Append ("'"); ⑶ the attacker enters "' or ' 1 ' = ' 1" in the user name and password input box.
After the ⑷ user input is submitted to the server, the server runs the above ASP. NET code constructs the SQL command to query the user, but because the attacker enters a very special content, the resulting SQL command becomes: SELECT * from Users WHERE login = ' or ' 1 ' = ' 1 ' and password = ' or ' 1 ' = ' 1 '.
The ⑸ server executes a query or stored procedure that compares the identity information entered by the user with the identity stored in the server.
⑹ because the SQL command has actually been modified by an injected attack, it has not been able to actually authenticate the user, so the system is incorrectly authorized to the attacker. If an attacker knew that the app would use the input in the form to authenticate the query directly, he would try to enter some special SQL string tampering query to change its original functionality and spoof the system to grant access. The system environment is different, the attacker may cause different damage, which is mainly determined by the security permissions of the application to access the database. If the user's account has administrator or other advanced privileges, an attacker could perform various actions on the database's tables, including adding, deleting, or updating data, and possibly even deleting the table directly
How to prevent SQL injection attacks? Fortunately, it is not particularly difficult to prevent an ASP. NET application from being hacked into by a SQL injection attack, as long as all the input is filtered before the SQL command is constructed using the form's input content. Filtering input can be done in a variety of ways.
⑴ for dynamically constructing SQL queries, you can use the following techniques: first: Replace single quotes, that is, to change all occurrences of single quotes to two single quotes, to prevent the attacker from modifying the meaning of the SQL command. Take another look at the previous example, "SELECT * from users WHERE login = ' or ' 1 ' = ' 1 ' and password = ' ' or ' 1 ' = ' 1 '" will obviously get with "select * from Users WHERE login = ' or ' 1 ' = ' 1 ' and password = ' or ' 1 ' = ' 1 ' "different results. Second: Delete all hyphens in user input to prevent attackers from constructing classes such as "SELECT * from users where login = ' mas '--and Password = '", because the second half of this type of query has been commented out, is no longer valid, attacks If you know a legitimate user login name, you do not need to know the user's password to gain access to the smooth. Third: Restrict permissions for the database account that is used to execute the query. Perform query, insert, UPDATE, and delete operations with different user accounts. Because of the isolation of operations that can be performed by different accounts, the place used to execute the SELECT command is prevented from executing the INSERT, UPDATE, or delete commands.
⑵ uses a stored procedure to execute all queries. The way SQL parameters are passed prevents attackers from using single quotes and hyphens to enforce attacks. In addition, it allows database permissions to be restricted to only certain stored procedure executions, and all user input must follow the security context of the stored procedure being called, making it difficult to inject attacks again.
⑶ limit the length of the form or query string input. If a user's login name is at most 10 characters, do not endorse more than 10 characters entered in the form, which greatly increases the difficulty of an attacker inserting harmful code into a SQL command.
⑷ checks the legality of user input and is confident that the input contains only valid data. Data inspection should be performed on both the client and server side-the reason for server-side validation is to compensate for the fragile security of the client authentication mechanism. At the client, it is entirely possible for an attacker to obtain the source code of the Web page, modify the script that validates the legitimacy (or delete the script directly), and then submit the illegal content to the server through the modified form. Therefore, the only way to ensure that the validation operation is actually performed is to perform validation on the server side. You can use many of the built-in validation objects, such as RegularExpressionValidator, which automatically generate client-side scripts for validation, and you can also insert a method call from the server. If you cannot find a ready-made validation object, you can create one by CustomValidator yourself.
⑸ saves data such as user login name, password, and so on. Encrypt the data entered by the user and compare it to the data saved in the database, which is equivalent to "disinfect" the data entered by the user, and the data entered by the user no longer has any special meaning to the database, thus preventing the attacker from injecting SQL commands. The System.Web.Security.FormsAuthentication class has a hashpasswordforstoringinconfigfile that is ideal for disinfecting input data.
⑹ checks the number of records returned by the query that extracted the data. If a program requires only one record to be returned, but the actual returned record exceeds a row, it is treated as a error handling
What is SQL injection-type attack
