Last week I made a website for someone else, and I accidentally discovered that there were many loopholes in my work. In just 20 seconds, I used SQL injection to fix it. So I checked some information about sql injection and got some insights. I hope I can share it with novices. The experts are laughing!
The general idea of SQL injection attack:
Discover SQL injection locations;
Determine the server type and background database type;
To determine the executability
, some attackers generally use SQL injection. Next, I will also talk about my own insights about sql injection method.
Injection method:
In theory, the authentication web page would look like this:
Select * from admin where username='XXX' and password='YYY' statement, if necessary character filtering is not performed before officially running this statement, it is easy to implement SQL injection.
For example, enter in the user name text box: abc' or 1=1-- Enter in the password box: 123, then the SQL statement becomes:
select * from admin where username='abc' or 1=1 and password='123' No matter what username and password the user enters, this statement will always be executed correctly, and the user can easily deceive the system and obtain a legal identity.
Guess the solution:
The basic idea is: guess all database names, guess every table name in the database, analyze the table names that may store user names and passwords, guess every field name in the table, guess every record in the table content.
There is also a way to get your database name and the name of each table.
Just get your database name and table name by reporting an error in the form: http://www . .cn/news?id=10'!
For jsp, we generally adopt the following strategies to deal with it:
1.PreparedStatement
If you are already a moderately advanced developer, you should always use PreparedStatement instead of Statement.
Here are some reasons
1. Code readability and maintainability.
2. PreparedStatement improves performance as much as possible.
3. The most important point is that security is greatly improved.
So far, some people (including myself) don't even know the basic evil SQL syntax.
String sql = "select * from tb_name where name= '"+varname+"' and passwd='"+varpasswd+"'";
If we pass [' or '1' = '1] as name. The password is arbitrary, let's see what it will be like? Network management network bitsCN.com
select * from tb_name = 'or '1' = '1' and passwd = 'casual' ;
Because '1'='1' is definitely true, it can pass any verification. What's more:
Pass ['; drop table tb_name; ] as varpasswd, then:
select * from tb_name = 'any' and passwd = ''; drop table tb_name; Some databases will not let you succeed, but there are also many databases that can execute these statements.
And if you use precompiled statements, any content you pass in will not have any matching relationship with the original statements. (The premise is that the database itself supports precompilation, but there may be no server-side databases that do not support compilation. There are only a few desktop databases, that is, those with direct file access. As long as they all use precompiled statements, you don't need to do any filtering on the incoming data. If you use ordinary statements, you may have to spend a lot of time on drop,;, etc. Scheming judgment and overthinking.
2. Regular expressions
2.1. Regular expression to detect SQL meta-characters/(%27)|(')|(--)|(%23)|(#)/ix
2.2. Correct the regular expression for detecting SQL meta-characters /((%3D)|(=))[^n]*((%27)|(')|(--) 54ne. com
|(%3B)|(:))/i
2.3. Typical SQL injection attack regular expression/w*((%27)|('))((%6F)|o|(%4F))((%72)|r |( China Network Management Alliance www.bitscn.com
%52))/ix
2.4. Detect SQL injection, regular expression of UNION query keyword /((%27)|('))union/ix(%27)|(') - single
Quotes and its hex equivalent union - the union keyword.
2.5. Regular expression/exec(s|+)+(s|x)pw+/ix to detect MS SQL Server SQL injection attacks
3. String filtering
public static String filterContent(String content){
String flt="'|and|exec|insert|select|delete|update|count|*|%
|chr|mid|master|truncate|char|declare|; |or|-|+|,";
Stringfilter[] = flt.split("|");
for(int i=0; i {
content.replace(filter[i], "");
}
return content;
}
4. Unsafe character masking
This part uses js to block, which plays a very small role. Although the method of blocking keywords has a certain effect, in actual applications, these SQL keywords may also become real query keywords, and then they will be blocked by you. Then the user will not be able to use it normally. Just put some effort into coding standards.
When there are variables in the executed SQL, just use PreparedStatement provided by JDBC (or other data persistence layer). Remember not to use the method of splicing strings.
Function introduction: Check whether it contains "'"," \","/ "
Parameter description: The string to be checked Return value: 0: Yes 1: Not Function name Yes
function check(a)
{
return 1;
fibdn = new Array ("'" ," \","/ ");
i=fibdn.length;
j=a.length;
for (ii=0; ii { for (jj=0; jj
{ temp1=a.charAt(jj);
temp2=fibdn[ii];
if (tem'; p1==temp2)
{ return 0; }
}
}
return 1;
}