当前位置:网站首页>Prevent SQL injection in web projects
Prevent SQL injection in web projects
2022-04-23 11:06:00 【liming89】
Source of the article : Learn through http://www.bdgxy.com/
One 、SQL Introduction to injection
SQL Injection is one of the most common network attacks , It's not using the operating system BUG To achieve an attack , It's about the negligence of programmers , adopt SQL sentence , Login without account , Even tampering with the database .
Two 、SQL The general idea of injection attack
- 1. Look for SQL Injection location
- 2. Judge the server type and background database type
- 3. For different server and database characteristics SQL Injection attack
3、 ... and 、SQL Inject attack instance
For example, in a login interface , Require user name and password :
This can be input to achieve account free login :
user name : ‘or 1 = 1 –
The secret code :
Click to log in , If there is no special treatment , Then the illegal user is proud to log in .( Of course, there are databases in some languages API These problems have been dealt with )
Why is that ? Let's analyze :
In theory , The background authentication program will have the following SQL sentence :
String sql = "select * from user_table where username=
' "+userName+" ' and password=' "+password+" '";
When you enter the user name and password above , above SQL Statement becomes :
SELECT * FROM user_table WHERE username=
‘‘or 1 = 1 – and password=’’
“”"
analysis SQL sentence :
After the condition username=”or 1=1 The user name is equal to ” or 1=1 Then this condition is bound to succeed ;
And then add two -, This means annotating , It annotates the following statements , Let them not work , This statement will always execute correctly , Users easily cheat the system , Get legal status .
It's more gentle , If it's execution
SELECT * FROM user_table WHERE
username=‘’ ;DROP DATABASE (DB Name) --’ and password=‘’
The consequences can be imagined …
“”"
Four 、 How to defend SQL Inject
Be careful : Where there is SQL Injection of vulnerability procedures , It's because the program has to accept variables or URL Parameters passed , And this variable or parameter is made up of SQL Part of the statement ,
For user input or parameters passed , We should always be vigilant , This is in the field of security 「 External data is not trusted 」 Principles , throughout Web All kinds of attacks in the field of security ,
Most of it is because developers violate this principle , So it's natural to think of , From the detection of variables 、 Filter 、 Verification starts , Make sure the variables are what the developers expect .
1、 Check variable data type and format
If your SQL The statement is similar to where id={$id} This form , Everything in the database id It's all numbers , Then it should be SQL Before being executed , Check to make sure that the variable id yes int type ; If it's an acceptance email , Then we should check and strictly ensure that the variable must be in mailbox format , Other types like date 、 Time and so on is also a truth . Sum up : As long as it's a variable with a fixed format , stay SQL Statement before execution , Should be strictly in accordance with the fixed format to check , Make sure the variable is in the format we expect , This can be largely avoided SQL Injection attack .
such as , We are going to accept username In the parameter example , Our product design should be at the beginning of user registration , There is a user name rule , such as 5-20 Characters , It can only be written by upper and lower case letters 、 Numbers and some security symbols , Does not contain special characters . At this point we should have a check_username Function to perform a unified check . however , There are still many exceptions that cannot be applied to this criterion , For example, the article publishing system , Comment system must allow users to submit arbitrary string scenarios , This requires other solutions such as filtering .
2、 Filter special symbols
For variables whose fixed format cannot be determined , Be sure to filter or escape special symbols .
3、 Bound variable , Use precompiled statements
MySQL Of mysqli The driver provides support for precompiled statements , Different programming languages , There are different ways to use precompiled sentences
actually , Binding variables using precompiled statements is a precaution SQL The best way to inject , Use precompiled SQL Sentence semantics will not change , stay SQL In the sentence , Variables are marked with question marks ? Express , No matter how powerful a hacker is , Can't change SQL Structure of statement
Summary :
- 1. Using precompiled bound variables SQL sentence
- 2. Strictly encrypt the user's confidential information
- 3. Do not open the production environment at will Webserver The error display
- 4. Use regular expressions to filter the incoming parameters
- 5. String filtering
- 6. Check whether the package letter has illegal characters
in general , Guard against the general SQL Injection can be prevented by working on the code specification
The above is what Xiaobian introduced to you web In the project SQL Inject , I hope that's helpful . Thank you very much for your comments on the rookie tutorial www.piaodoo.com Website support !
版权声明
本文为[liming89]所创,转载请带上原文链接,感谢
https://yzsam.com/2022/04/202204231102124598.html
边栏推荐
- 学习 Go 语言 0x06:《Go 语言之旅》中 斐波纳契闭包 练习题代码
- Excel · VBA custom function to obtain multiple cell values
- MySQL面试题讲解之如何设置Hash索引
- 精彩回顾|「源」来如此 第六期 - 开源经济与产业投资
- Esp32 learning - add folder to project
- 面向全球市场,PlatoFarm今日登录HUOBI等全球四大平台
- mysql分表之后如何平滑上线详解
- How to bind a process to a specified CPU
- 全栈交叉编译X86完成过程经验分享
- How to quickly download vscode
猜你喜欢
Visualization Road (10) detailed explanation of segmentation canvas function
数据库管理软件SQLPro for SQLite for Mac 2022.30
CUMCM 2021-B:乙醇偶合制備C4烯烴(2)
Constraintlayout layout
Promise details
UEditor之——图片上传组件大小4M的限制
Mysql8. 0 installation guide
Excel·VBA自定义函数获取单元格多数值
使用zerotier让异地设备组局域网
An interesting interview question
随机推荐
MBA-day5数学-应用题-工程问题
Source insight 4.0 FAQs
关于JUC三大常用辅助类
学习 Go 语言 0x01:从官网开始
PlatoFarm推出正式版游戏经济模型的特点分析
主流手机分辨率与尺寸
Full stack cross compilation x86 completion process experience sharing
Microsoft Access database using PHP PDO ODBC sample
How to Ping Baidu development board
一道有趣的阿里面试题
Jupyter Lab 十大高生产力插件
Difference between pregnancy box and delivery box
Data analysis learning (I) data analysis and numpy Foundation
FileProvider 路径配置策略的理解
Qinglong panel pull library command update [April 20, 2022] collection is not lost
ID number verification system based on visual structure - Raspberry implementation
CUMCM 2021-B:乙醇偶合制备C4烯烃(2)
学习网站资料
学习 Go 语言 0x07:《Go 语言之旅》中 Stringer 练习题代码
Software testers, how to mention bugs?