Talk about six suggestions to prevent SQL injection attacks

Source: Internet
Author: User

Intermediary transaction http://www.aliyun.com/zixun/aggregation/6858.html ">seo diagnose Taobao guest cloud host technology Hall

SQL injection attacks are highly hazardous. Before explaining its methods of prevention, it is necessary for the database administrator to understand the rationale of the attack. This is conducive to the administrator to take targeted preventive measures.

A simple example of SQL injection attacks.

Statement: = "SELECT * from Users WHERE value=" + a_variable + "

The above statement is a very common SQL statement, his main function is to let the user enter an employee number and then query the employee's information. But if the statement is modified by an outlaw attacker, it could become a black hand to destroy the data. If an attacker enters a variable, enter the following content SA001 ';d ROP table C_order--。 The above SQL statement then becomes the select * from Users where value= ' SA001 ';d rop table C_order--。

What does this statement mean? The semicolon following SA001 ' indicates the end of a query and the beginning of another statement. The double hyphen following the c_order indicates that the remainder of the current line is just a comment and should be ignored. If the modified code syntax is correct, the server executes the code. When the system processes this statement, it will first execute the query statement and find the user information that the user number is SA001. The data then deletes the table C_order (the deletion succeeds if there are related constraints, such as other primary keys). You cannot programmatically detect tampering as long as the injected SQL code is syntactically correct. Therefore, you must validate all user input and carefully examine the code that executes the constructed SQL command on the server you are using.

Second, the SQL injection attack principle.

Visible SQL injection attacks are highly harmful. Before explaining its methods of prevention, it is necessary for the database administrator to understand the rationale of the attack. This is conducive to the administrator to take targeted preventive measures.

SQL injection is one of the most common attacks against databases at the moment. In this mode of attack, the attacker inserts some malicious code into the string. The string is then passed to the instance of the SQL Server database for analysis and execution by various means. As long as this malicious code conforms to the rules of the SQL statement, it will not be discovered by the system when the code is compiled and executed.

There are two main types of SQL injection attacks. The first is to insert the code directly into the user input variable that is concatenated with the SQL command and makes it execute. The above example is the use of this method. Because of its direct binding with the SQL statement, it is also known as the direct injection attack method. The second is an indirect method of attack, which injects malicious code into a table to store or as a string stored in the original book. The stored string is connected to a dynamic SQL command to execute some malicious SQL code.

The injection process works by prematurely terminating the text string and then appending a new command. As an example of a direct injection attack. It is when a user enters a variable that ends the current statement with a semicolon. Then insert a malicious SQL statement. Because the inserted command may append additional strings before execution, the attacker often terminates the injected string with the annotation tag "-". execution, the system will be considered after the statement bit annotation, so the subsequent text will be ignored, do not compile and execute.

Thirdly, the prevention of SQL injection attack.

Since SQL injection attacks are so harmful, how can we prevent them? The following recommendations may be helpful to database administrators in preventing SQL injection attacks.

1, the ordinary user and the system administrator user's authority must have the strict distinction.

If a normal user embeds another drop TABLE statement in a query, does it allow execution? Because the drop statement is related to the basic object of the database, the user must have relevant permissions to manipulate the statement. In the permission design, to the end user, namely the application software user, does not need to give them the database object establishment, the deletion and so on permission. So even if they use malicious code embedded in SQL statements, the code will not be executed due to restrictions on their user rights. Therefore, when the application is designed, it is best to distinguish between the user of the system administrator and the ordinary user. This minimizes the risk to the database of an injection attack.

2, forced use of parameterized statements.

If you are writing an SQL statement, the variables entered by the user are not embedded directly into the SQL statement. Instead, it is possible to effectively prevent SQL injection attacks by passing this variable with parameters. That is, the user's input must not be directly embedded in the SQL statement. In contrast, the user's input must be filtered, or a parameterized statement is used to pass the user-entered variable. Parameterized statements use parameters instead of embedding user input variables into SQL statements. With this approach, most SQL injection attacks can be eliminated. Unfortunately, there are not many database engines that support parameterized statements. However, database engineers should try to adopt parameterized statements when developing products.

3, strengthen the validation of user input.

In general, there are two methods to prevent SQL injection attacks, one is to strengthen the inspection and verification of user input content, and the other is to force parameterized statements to pass the user input. In the SQL Server database, there are a number of user input validation tools that can help administrators deal with SQL injection attacks. Tests the contents of a string variable, accepting only the desired value. Rejects input that contains binary data, escape sequences, and annotation characters. This helps prevent script injection and prevents some buffer overflow attacks. Test the size and data type of user input, enforcing appropriate restrictions and conversions. This is helpful to prevent the intentional buffer overflow, for the prevention of injection-type attacks have a more obvious effect.

You can use stored procedures to validate user input. The use of stored procedures can be used to filter the user input variables, such as rejecting some special symbols. As with the malicious code above, as long as the stored procedure filters out that semicolon, then the malicious code is useless. Before executing the SQL statement, you can reject some special symbols by storing procedures in the database. Without affecting database applications, you should have the database reject input that contains the following characters. As a semicolon delimiter, it is the primary accomplice to SQL injection attacks. such as the annotation separator. Annotations are only used when data is designed. The general user's query statements do not have the necessary annotation content, so you can directly reject him, usually do so without accidental loss. By rejecting these special symbols, they will be useless even if malicious code is embedded in the SQL statements.

It always verifies user input by testing type, length, format and range, and filters the content of user input. This is a common and effective measure to prevent SQL injection attacks.

4, a lot of use of SQL Server database with the security parameters.

To reduce the adverse impact of an injection attack on a SQL Server database, a relatively secure SQL parameter is specifically designed in a SQL Server database. In the database design process, engineers should try to use these parameters to eliminate malicious SQL injection attacks.

The parameters collection is provided in the SQL Server database. This collection provides functionality for type checking and length validation. If the administrator uses the Parameters collection, the user input will be treated as a character value instead of an executable code. Even if the user enters content that contains executable code, the database is filtered out. Because at this point the database treats it as a normal character. Another advantage of using the Parameters collection is that you can enforce type and length checks, and values outside the range will trigger an exception. If the value entered by the user does not conform to the specified type and length constraint, an exception occurs and is reported to the administrator. As in the case above, if the employee number is defined as a string type, the length is 10 characters. But the user input content is also the character type data, but its length reaches 20 characters. An exception is thrown at this point because the user enters a length that exceeds the limit of the database field length.

5, multi-layer environment How to prevent SQL injection attack?

In a multi-tier application environment, all data entered by the user should be validated before being allowed into the trusted zone. Data that fails the validation process should be rejected by the database and an error message is returned up one level. Implement multi-layer verification. Preventive measures taken against an innocent malicious user may not be valid for a determined attacker. A better practice is to validate the input on the user interface and all subsequent points across the trust boundary. Validating data in a client application can prevent simple script injection. However, if the next layer believes that its input has been validated, any malicious user who can bypass the client can access the system without restriction. Therefore, for multilayer application environment, in the prevention of injection attacks, it is necessary to work together on both the client and the database to prevent the injection of SQL statements.

6. Use professional vulnerability scanning tools when necessary to find points that may be attacked.

The

uses professional vulnerability scanning tools to help administrators find points that might be attacked by SQL injection. However, the vulnerability scanning tool can only detect the attack point, and not be able to proactively play a role in defending against SQL injection attacks. Of course, this tool is often used by attackers. An attacker could use this tool to automatically search for an attack target and execute an attack. For this reason, enterprises should invest in some professional vulnerability scanning tools if necessary. A perfect vulnerability scanner is different from a network scanner, which specifically looks for SQL injection vulnerabilities in the database. The latest vulnerability scanner can look for newly discovered vulnerabilities. So with professional tools, you can help administrators discover SQL injection vulnerabilities and alert administrators to take proactive steps to prevent SQL injection attacks. If an attacker can discover a SQL Injection Vulnerability database administrator has found and taken positive measures to plug the vulnerability, then the attackers can not start. My small station security door http://www.anjianmen88.com let everyone laughed at.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.