SQL Injection Attacks and Defense
来源:互联网 发布:收腰羽绒服 知乎 编辑:程序博客网 时间:2024/05/22 11:50
1.What Is SQL Injection?
Take a look at an example below first.
If we have any code statements like below.
---------------------------------------------------------------
String query = "SELECT * FROM table WHERE field = '" +
request.getParameter("input") + "'";
---------------------------------------------------------------
If the request URL like this
---------------------------------------------------------------
http://localhost:8080/test.jsp?input= 1' or '1'='1
---------------------------------------------------------------
The query by this SQL will always return all of the records in the table, but
will not filter the records that do not match the conditions.
From this example, we can find that what the SQL injection is and how it occurs.
This is a very simple example, in the real world, we can do much more things by SQL injection.
For example, we can read password file of operating system or can execute any command by SQL injection.
2.How Can We Find SQL Injections?
Before we do any protective measures, we have to try to find out that whether there are any vulnerabilities
in our system.
First, the easiest way is input some special character like single quote. If the system returns error message,
the system must have some flaws.
Second, if there is no error message, we can try it like this way.
a. If we query by the SQL "select * from table where filed = 100" and can get 10 records.("100" is from client side)
b. Then try input the value like this "select * from table where filed = 50 + 50"("50 + 50" is from client side)
if we still can get 10 records, I would have to say "Congratulations!".
If we have the source code, it will be much more easier to find a vulnerability.
For example we can search the key word "createStatement".
As long as you know how to add two numbers you can apply that knowledge to every scenario involving addition.
SQL injection is the same.
You need to understand the hows and whys and the rest will simply be a matter of practice.
3.Defenses
To defend SQL injection is not very difficult, We have the measures below.
Most of the time, the root causes of SQL injection is the creation of SQL queries as strings that are then sent to the database for execution.
1). Using Parameterized Statements
For example we can use preparedStatement in Java
2). Validate the input from client
Whitelist(Whitelist validation is the practice of only accepting input that is known to be good.)
Balcklist(Blacklisting is the practice of only rejecting input that is known to be bad.
It means if the input contains any char in the blacklist)
3). Encoding
For example
-------------------------------------------
sql = sql.replaceAll("'", "''");
-------------------------------------------
4). If we can use abstraction layer such as Hibernate, it can reduce the risk of SQL injection
For some legacy system, we may do something like below(No need to change the source code, but only add some layers).
1). Add a filter
2). Apply Aspect-Oriented Programming
- SQL Injection Attacks and Defense
- Web Hacking: Attacks and Defense
- (转载)Detection of SQL Injection and Cross-site Scripting Attacks
- Detection of SQL Injection and Cross-site Scripting Attacks
- SQL Injection Attacks by Example
- SQL Injection Attacks and Some Tips on How to Prevent Them
- Tip/Trick: Guard Against SQL Injection Attacks
- Cross Site Scripting Attacks: Xss Exploits and Defense
- Preventing SQL Injection Attacks 预防SQL注入式攻击
- Data retrieval over DNS in SQL injection attacks
- Injection Attacks-XML注入
- Injection Attacks-Log 注入
- MySQL and SQL Injection
- Tip/Trick: Guard Against SQL Injection Attacks 提示/技巧:防范SQL注入攻击
- False SQL Injection and Advanced Blind SQL Injection
- False SQL Injection and Advanced Blind SQL Injection
- Please, please, please, learn about injection attacks!
- Hash injection Attacks in a Windows Network
- 皮肤护理技巧
- 常见的排序算法实现
- 计算机核心期刊排名及投稿信息
- 关于C++的metaprograming
- 写在最后一个暑假里的
- SQL Injection Attacks and Defense
- java异常处理之自定义异常类
- java静态页面生成技术--前期测试阶段2
- 在sqlserver中如何重建索引
- win7+vmware7+centOS5 网络设置详细图解
- 测试一下
- jdom学习:读取xml文件
- 2010年7月微软最有价值专家(MVP)当选名单
- drupal 6.0 入门教程 - 第六章