预防查询语句数据库注入漏洞攻击
简单地说,Sql注入就是将Sql代码传递到应用程序的过程,但不是按照应用程序开发人员预定或期望的方式插入,相当大一部分程序员在编写代码的时 候,并没有对用户输入数据的合法性进行判断,使应用程序存在安全隐患。这种漏洞并非系统照成,而是由程序员在编程
简单地说,Sql注入就是将Sql代码传递到应用程序的过程,但不是按照应用程序开发人员预定或期望的方式插入,相当大一部分程序员在编写代码的时 候,并没有对用户输入数据的合法性进行判断,使应用程序存在安全隐患。这种漏洞并非系统照成,,而是由程序员在编程中忽略了安全因素。Sql注入漏洞攻击原 理就是利用非法参数获得敏感信息,收集整理,分析出管理员账号密码。
当开发应用程序时,尤其是有关数据库信息的查询,查询语句中可能会有拼接字符串注入漏洞,这便会导致用户资料泄露。那么该如何防范此类漏洞的出现。
可以为查询语句设置参数,方法实例如下面所示:
Using(Sqlconnection cn = new sqlconnection(“连接字符串”))
{
cn.open();
using(sqlcommand cmd = cn.creatcommand())
{
cmd.commandtext=”select * from T_table where name=’”+textbox.text+”’”;
(此时如果在文本框中输入1’ or ‘1’=’1)就可以获取数据库信息。会造成信息的泄露。解决办法就是引入参数。方法如下。
cmd.commandtext=”select * from T_table where name=@Name”;
cmd.Parameters.Add (new sqlParameter ("@Name", textbox.text))};
这样查询数据就会从数据库查询比对,不会再出现注入漏洞攻击的情况。
}
}
每一次必不可少的会写对数据库操作的Sql语句,例如以下验证登陆的Sql语句:
string strSql="select * from Table Where UserName='"+textBoxUserName.Text+'"and UserPassord='"+textBoxPassword.Text+"'";
或者
string strSql=string.Format("select * from Table where UserName='{0}' and UserPassword='{1}'",textBoxUserName.Text,textBoxPassword.Text);
在上面的语 句中,对数据库操作的Sql语句使用字符串拼接的方式写的,这种方式是前期的程序员以及初学者通用的对数据库操作的一种Sql语句写法,上述代码中的 textBoxUserName是用户在textBoxUserName文本框中提交的用户名,textUserpassword是用户在 textUserpassword文本框中提交的密码,在理想的状态下,用户 为了对系统进行攻击,用户(就是黑客)可能尝试篡改Sql语句,达到登录的目的。例如用户可能在用户名文本框中输入下面的语句:
1' or 1=1 --
下面我们把上面一行的语句代入到前面用于登录的Sql语句中,得到下面的Sql语句:
select * from Table where UserId='1' or 1=1 --'and UserName=' '
稍 微学过数据库Sql语句的,很快就会发现上面一句话的不正常,这条Sql语句会返回Table表的全部数据,这就是黑客有机可乘的地方,黑客可以用这种方 法成功登陆,还可以获取该Table表的所有信息。下面解释一下这句Sql语句:如果只有select * from Table,就会返回该Table表的所有信息,where后是查询条件,1=1永远为True,不管User='1'为True还是为 False,UserId='1' or 1=1 都为True。至于--'and UserName=' ' ,因为两个连字符(--)是MS Sql Server的注释标记(My Sql和Oracle数据库也使用相同的技术,不过My Sql使用的注释标记师是符号#,Oracle使用的是分号;),--后面的内容传到数据库查询时都被注释了,那么--后面的内容就没用了,Sql语句不 会执行了,所以where后的查询条件永远为True,综上所述,上面的Sql查询语句会返回Table表的所有信息!
通过这种Sql语法漏洞,黑客们可以达到他们的目的,但Sql注入漏洞攻击绝对不止这一种,复杂的还有很多,我不在说了。下面我谈一下我知道在.NET中应对上面这种Sql注入攻击的防范措施。
我 们所能做的,如果不修改上面的Sql查询语句,那一种方法就是利用TextBox控件的MaxLength属性,这样就键入了黑客键入字符的数量,从而可 以限制黑客向服务器发送大量的非法命令,但这种方法只是掩耳盗铃,治不了根本。第二种方法就是删除用户输入中的单引号,方法是在单引号后面加一个或多个单 引号,或者利用空格替换单引号,这样就可以预防此类攻击。但局限性是如果用户的用户名或密码中就含有单引号呢,那就不可行了!
最完美的一种方法就是使用ADO.NET Command对象的参数集合, 在前面的可以进行Sql注入漏洞攻击的Sql语句中,通过使用字符串拼接方法动态创建查询,在这里我们可以利用ADO.NET Command的对象的Parameters属性提供的功能,传递执行Sql语句所使用的参数,在这种方法中参数名必须以字符@为前缀,例如以下Sql查 询语句:
string strSql="select * from Table where UserName=@UserName and UserPassword=@UserPassword";
在该语句中,@UserName和@UserPassword就是参数名,可以使用以下语句为该参数传值:
SqlCommand cmd=new SqlCommand(strSql,conn);
SqlParameters[] pams=new SqlParameters(new SqlParameters("@UserName",textBoxUserName.Text),new SqlParameters("@UserPassword",textBoxPassword.Text));
cmd.Parameters.AddRange(pams);
参数名不区分大小写,这种方法也适宜存储过程和SqlDataAdapter对象。
我们在动态创建Sql语句中使用了@UserName和@UserPassword名称,而不是拼接多个字符 串,这样就可以使用SqlCommand对象的Parameters集合传递值,该方法可以安全的创建动态Sql连接。参数在Sql Server内部不是简单的字符串替换,Sql Server直接0用添加的值进行数据比较,因此不会有Sql注入漏洞攻击。
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
AI Hentai Generator
Generate AI Hentai for free.
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
How to check your academic qualifications on Xuexin.com
Mar 28, 2024 pm 04:31 PM
How to check my academic qualifications on Xuexin.com? You can check your academic qualifications on Xuexin.com, but many users don’t know how to check their academic qualifications on Xuexin.com. Next, the editor brings you a graphic tutorial on how to check your academic qualifications on Xuexin.com. Interested users come and take a look! Xuexin.com usage tutorial: How to check your academic qualifications on Xuexin.com 1. Xuexin.com entrance: https://www.chsi.com.cn/ 2. Website query: Step 1: Click on the Xuexin.com address above to enter the homepage Click [Education Query]; Step 2: On the latest webpage, click [Query] as shown by the arrow in the figure below; Step 3: Then click [Login Academic Credit File] on the new page; Step 4: On the login page Enter the information and click [Login];
12306 How to check historical ticket purchase records How to check historical ticket purchase records
Mar 28, 2024 pm 03:11 PM
Download the latest version of 12306 ticket booking app. It is a travel ticket purchasing software that everyone is very satisfied with. It is very convenient to go wherever you want. There are many ticket sources provided in the software. You only need to pass real-name authentication to purchase tickets online. All users You can easily buy travel tickets and air tickets and enjoy different discounts. You can also start booking reservations in advance to grab tickets. You can book hotels or special car transfers. With it, you can go where you want to go and buy tickets with one click. Traveling is simpler and more convenient, making everyone's travel experience more comfortable. Now the editor details it online Provides 12306 users with a way to view historical ticket purchase records. 1. Open Railway 12306, click My in the lower right corner, and click My Order 2. Click Paid on the order page. 3. On the paid page
How does Go language implement the addition, deletion, modification and query operations of the database?
Mar 27, 2024 pm 09:39 PM
Go language is an efficient, concise and easy-to-learn programming language. It is favored by developers because of its advantages in concurrent programming and network programming. In actual development, database operations are an indispensable part. This article will introduce how to use Go language to implement database addition, deletion, modification and query operations. In Go language, we usually use third-party libraries to operate databases, such as commonly used sql packages, gorm, etc. Here we take the sql package as an example to introduce how to implement the addition, deletion, modification and query operations of the database. Assume we are using a MySQL database.
Detailed tutorial on establishing a database connection using MySQLi in PHP
Jun 04, 2024 pm 01:42 PM
How to use MySQLi to establish a database connection in PHP: Include MySQLi extension (require_once) Create connection function (functionconnect_to_db) Call connection function ($conn=connect_to_db()) Execute query ($result=$conn->query()) Close connection ( $conn->close())
How does Hibernate implement polymorphic mapping?
Apr 17, 2024 pm 12:09 PM
Hibernate polymorphic mapping can map inherited classes to the database and provides the following mapping types: joined-subclass: Create a separate table for the subclass, including all columns of the parent class. table-per-class: Create a separate table for subclasses, containing only subclass-specific columns. union-subclass: similar to joined-subclass, but the parent class table unions all subclass columns.
iOS 18 adds a new 'Recovered' album function to retrieve lost or damaged photos
Jul 18, 2024 am 05:48 AM
Apple's latest releases of iOS18, iPadOS18 and macOS Sequoia systems have added an important feature to the Photos application, designed to help users easily recover photos and videos lost or damaged due to various reasons. The new feature introduces an album called "Recovered" in the Tools section of the Photos app that will automatically appear when a user has pictures or videos on their device that are not part of their photo library. The emergence of the "Recovered" album provides a solution for photos and videos lost due to database corruption, the camera application not saving to the photo library correctly, or a third-party application managing the photo library. Users only need a few simple steps
An in-depth analysis of how HTML reads the database
Apr 09, 2024 pm 12:36 PM
HTML cannot read the database directly, but it can be achieved through JavaScript and AJAX. The steps include establishing a database connection, sending a query, processing the response, and updating the page. This article provides a practical example of using JavaScript, AJAX and PHP to read data from a MySQL database, showing how to dynamically display query results in an HTML page. This example uses XMLHttpRequest to establish a database connection, send a query and process the response, thereby filling data into page elements and realizing the function of HTML reading the database.
Analysis of the basic principles of MySQL database management system
Mar 25, 2024 pm 12:42 PM
Analysis of the basic principles of the MySQL database management system MySQL is a commonly used relational database management system that uses structured query language (SQL) for data storage and management. This article will introduce the basic principles of the MySQL database management system, including database creation, data table design, data addition, deletion, modification, and other operations, and provide specific code examples. 1. Database Creation In MySQL, you first need to create a database instance to store data. The following code can create a file named "my
