SQL Injection Attacks and Defense
2010-07-06 20:50
411 查看
1.What Is SQL Injection?
Take a look at an example below first.
If we have any code statements like below.
---------------------------------------------------------------
String query = "SELECT * FROM table WHERE field = '" +
request.getParameter("input") + "'";
---------------------------------------------------------------
If the request URL like this
---------------------------------------------------------------
http://localhost:8080/test.jsp?input= 1' or '1'='1
---------------------------------------------------------------
The query by this SQL will always return all of the records in the table, but
will not filter the records that do not match the conditions.
From this example, we can find that what the SQL injection is and how it occurs.
This is a very simple example, in the real world, we can do much more things by SQL injection.
For example, we can read password file of operating system or can execute any command by SQL injection.
2.How Can We Find SQL Injections?
Before we do any protective measures, we have to try to find out that whether there are any vulnerabilities
in our system.
First, the easiest way is input some special character like single quote. If the system returns error message,
the system must have some flaws.
Second, if there is no error message, we can try it like this way.
a. If we query by the SQL "select * from table where filed = 100" and can get 10 records.("100" is from client side)
b. Then try input the value like this "select * from table where filed = 50 + 50"("50 + 50" is from client side)
if we still can get 10 records, I would have to say "Congratulations!".
If we have the source code, it will be much more easier to find a vulnerability.
For example we can search the key word "createStatement".
As long as you know how to add two numbers you can apply that knowledge to every scenario involving addition.
SQL injection is the same.
You need to understand the hows and whys and the rest will simply be a matter of practice.
3.Defenses
To defend SQL injection is not very difficult, We have the measures below.
Most of the time, the root causes of SQL injection is the creation of SQL queries as strings that are then sent to the database for execution.
1). Using Parameterized Statements
For example we can use preparedStatement in Java
2). Validate the input from client
Whitelist(Whitelist validation is the practice of only accepting input that is known to be good.)
Balcklist(Blacklisting is the practice of only rejecting input that is known to be bad.
It means if the input contains any char in the blacklist)
3). Encoding
For example
-------------------------------------------
sql = sql.replaceAll("'", "''");
-------------------------------------------
4). If we can use abstraction layer such as Hibernate, it can reduce the risk of SQL injection
For some legacy system, we may do something like below(No need to change the source code, but only add some layers).
1). Add a filter
2). Apply Aspect-Oriented Programming
Take a look at an example below first.
If we have any code statements like below.
---------------------------------------------------------------
String query = "SELECT * FROM table WHERE field = '" +
request.getParameter("input") + "'";
---------------------------------------------------------------
If the request URL like this
---------------------------------------------------------------
http://localhost:8080/test.jsp?input= 1' or '1'='1
---------------------------------------------------------------
The query by this SQL will always return all of the records in the table, but
will not filter the records that do not match the conditions.
From this example, we can find that what the SQL injection is and how it occurs.
This is a very simple example, in the real world, we can do much more things by SQL injection.
For example, we can read password file of operating system or can execute any command by SQL injection.
2.How Can We Find SQL Injections?
Before we do any protective measures, we have to try to find out that whether there are any vulnerabilities
in our system.
First, the easiest way is input some special character like single quote. If the system returns error message,
the system must have some flaws.
Second, if there is no error message, we can try it like this way.
a. If we query by the SQL "select * from table where filed = 100" and can get 10 records.("100" is from client side)
b. Then try input the value like this "select * from table where filed = 50 + 50"("50 + 50" is from client side)
if we still can get 10 records, I would have to say "Congratulations!".
If we have the source code, it will be much more easier to find a vulnerability.
For example we can search the key word "createStatement".
As long as you know how to add two numbers you can apply that knowledge to every scenario involving addition.
SQL injection is the same.
You need to understand the hows and whys and the rest will simply be a matter of practice.
3.Defenses
To defend SQL injection is not very difficult, We have the measures below.
Most of the time, the root causes of SQL injection is the creation of SQL queries as strings that are then sent to the database for execution.
1). Using Parameterized Statements
For example we can use preparedStatement in Java
2). Validate the input from client
Whitelist(Whitelist validation is the practice of only accepting input that is known to be good.)
Balcklist(Blacklisting is the practice of only rejecting input that is known to be bad.
It means if the input contains any char in the blacklist)
3). Encoding
For example
-------------------------------------------
sql = sql.replaceAll("'", "''");
-------------------------------------------
4). If we can use abstraction layer such as Hibernate, it can reduce the risk of SQL injection
For some legacy system, we may do something like below(No need to change the source code, but only add some layers).
1). Add a filter
2). Apply Aspect-Oriented Programming
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- SQL Injection Attacks and Some Tips on How to Prevent Them
- (转载)Detection of SQL Injection and Cross-site Scripting Attacks
- Detection of SQL Injection and Cross-site Scripting Attacks
- MySQL and SQL Injection
- Web Hacking: Attacks and Defense
- SQL Injection and Oracle, Part One
- MultiInjector v0.3 Released - Automatic SQL Injection and Defacement Tool
- Invision Power Board Local File Include and SQL Injection Vulnerabilities
- SQL Injection and Oracle, Part Two
- Time-Based Blind SQL Injection Attacks
- False SQL Injection and Advanced Blind SQL Injection
- Tip/Trick: Guard Against SQL Injection Attacks
- 非常见SQL注入漏洞及利用 Unusual SQL injection vulnerabilities and how to exploit them
- False SQL Injection and Advanced Blind SQL Injection
- False SQL Injection and Advanced Blind SQL Injection
- Data retrieval over DNS in SQL injection attacks
- Stop SQL Injection Attacks Before They Stop You
- Preventing SQL Injection Attacks 预防SQL注入式攻击
- [轉]False SQL Injection and Advanced Blind SQL Injection