1. What is SQL injection?
The so-called SQL injection is to insert SQL commands into the form form to submit or enter the query string of the domain name or page request, and finally trick the server into executing some malicious SQL commands. By submitting parameters to construct clever SQL statements, you can successfully obtain the desired data.
2. SQL type of injection
Specifically, SQL injection can be divided into five categories, namely: number injection, character injection, search injection (like), in injection, and sentence connection injection.
From the application point of view, special attention should be paid to SQL injection in IP, search, batch deletion, and transfer from database to database.
3. How to inject
Let's look at a typical example
SqlCommand cmd = new SqlCommand("SELECT * FROM PE_USERS WHERE UserName = '"
2+ UserName + "' AND UserPassword = '" + PassWord + "'", conn);
Since there is no validation for UserName and PassWord, if UserName="admin' OR 1=1--"
The executed SQL statement becomes:
SELECT * FROM PE_USERS WHERE UserName=’admin’ OR 1=1—‘ AND UserPassword=’’
This results in SQL injection, and the conditions are always true, so you can log in successfully without a password.
4. How to prevent SQL injection
1. Filter or convert suspicious strings
SQL injection is prevented by writing functions that filter or convert dangerous strings, and then use GLOBAL.ASAX or rewrite context instances
Here's an example
public static bool SqlFilter2(string InText)
2 {
3 string word="and|exec|insert|select|delete|update|chr|mid|master|or|truncate|char|declare|join";
4 if(InText==null)
5 return false;
6 foreach(string i in word. Split('|'))
7 {
8 if((InText.ToLower(). IndexOf(i+" ")>-1)|| (InText.ToLower(). IndexOf(" "+i)>-1))
9 {
10 return true;
11 }
12 }
13 return false;
14 }
2. Global.asax
protected void Application_BeginRequest(Object sender, EventArgs e)
2 {
3 // Traversing the Post parameters, except for hidden domains
4 foreach(string i in this. Request.Form)
5 {
6 if(i=="__VIEWSTATE")continue;
7 this.goErr(this. Request.Form.ToString());
8 }
9 // Traverse the Get parameter.
10 foreach(string i in this. Request.QueryString)
11 {
12 this.goErr(this. Request.QueryString.ToString());
13 }
14 } private void goErr(string tm)
2 {
3 if(WLCW. Extend.CValidity.SqlFilter2(tm))
4 this. Response.end()
5 }
Pros: This aspect is used by most beginner programmers to prevent SQL injection, and it seems to work well to prevent injection in most cases.
Disadvantages: 1. It will filter some characters that were not originally used for injection, causing unexpected problems. For example, if a forum member's name contains the same characters as the filtered characters, it will cause some unexpected problems and troubles.
2. Filtering or conversion is required every time, which reduces the efficiency of the program
2. Use stored procedures for parametric queries
The main purpose of SQL injection is to execute malicious commands in the database by submitting malicious SQL code. Therefore, as long as SQL commands are processed before execution, SQL injection can be effectively prevented. Parameterized queries can effectively prevent SQL injection.
Example
const string strSql = "SELECT * FROM [PE_Users] WHERE UserName = @UserName";
Parameters parms = new Parameters("@UserName", DbType.String, userName);
There is a parameter @UserName above, using the Prarmeter object, through which the parameter is added to the Command object,
This gives you a parameterized query.
As described above, ADO.NET sends the following SQL statement to SQL Server:
Exec sp_executesql N ‘select * from [pe_users] where username=@username ‘,N
‘@username nvarchar(20) ‘,@username=N ‘name’
SQL Server replaces @username with the string "name" before executing the query.
Suppose you have the following inputs:
'union select @@version,null,null—
The generated SQL statement looks like this:
Exec sp_executesql N ‘select * from [pe_users] where username=@username ‘,N
‘@username nvarchar(20) ‘,@username=N ‘’’ union select @@version,null,null--’
You can see that ADO.NET escapes the input.
- public SqlParameter Add(string parameterName, SqlDbType sqlDbType, int size);
DbTye or SqlDbType can be a variety of data types.
You can choose based on your data type.
In some places, it can also be used to specify the length of the parameter: int size. This also effectively prevents database overflows and SQL notes
Possibility of entering.
Pros: Effectively prevents SQL injection.
Disadvantages: Some places cannot be applied, such as in.
3. Whitelist
Description:
Some known parameter ranges can be handled in the form of whitelists, which can prevent SQL injection and querying
Wrong, for example: order by + column name, when the column name is passed in the form of a parameter, a whitelist can be formulated to judge the parameter first
whether the number is in the whitelist, and then query, otherwise it will be processed incorrectly.
Advantages: safe and reliable
Disadvantages: Small range of applications |
Posted on 4/17/2015 1:06:50 PM
|
|
|
