Home > Database > Mysql Tutorial > body text

How to prevent sql injection? Introducing 5 ways to prevent SQL injection

零下一度
Release: 2017-05-17 15:57:59
Original
3358 people have browsed it

1. Introduction to SQL Injection

SQL injection is one of the more common network attack methods. It does not use the BUG of the operating system to implement the attack, but targets programmersProgramming Negligence, through SQL statements, login without an account, or even tampering with the database.

2. The general idea of ​​SQL injection attack

1. Find the location of SQL injection

2. Determine the server type and background database type

3. Conduct SQL injection attacks based on different server and database characteristics

3. SQL injection attack examples

For example, in a login interface, requiring input Username and password:

You can enter it like this to log in without an account:

Username: 'or 1 = 1 –

Password:

Click to log in, If no special treatment is done, then the illegal user will log in very proudly. (Of course, some language databasesAPI have already dealt with these problems)

Why is this? Let’s analyze it below:

Theoretically, there will be the following SQL statement in the background authentication program:

String sql = "select * from user_table where username=
' "+userName+" ' and password=' "+password+" '";
Copy after login

When the above user name and password are entered, the above SQL statement becomes:

SELECT * FROM user_table WHERE username=
'’or 1 = 1 -- and password='’
Copy after login

Analyze the SQL statement:

After the condition username="or 1=1 username is equal to" or 1=1 then this condition will definitely succeed;

Then add after Two -, which means Comment, it will comment the following statements so that they will not work, so that the statements can always be executed correctly, and the user can easily deceive the system and obtain legal identity.

This is relatively gentle. If

SELECT * FROM user_table WHERE
username='' ;DROP DATABASE (DB Name) --' and password=''
Copy after login

is executed...the consequences can be imagined...

4. Coping methods

Let me talk about the countermeasures for JSP:

1. (Simple and effective method) PreparedStatement

uses a precompiled statement set, which has built-in To handle SQL injection, just use its setXXX method to pass the value.

Benefits of use:

(1). Code readability and maintainability.

(2).PreparedStatement improves performance as much as possible.

(3). The most important point is that it greatly improves security.

Principle:

sql injection only affects the preparation (compilation) process of sql statements It has a destructive effect

The PreparedStatement is already prepared. The execution phase only processes the input string as data,

and no longer parses and prepares the sql statement, thus avoiding sql injection. Question.

2. Use regular expression to filter the incoming parameters

Package to be imported:

import java.util.regex.*;
Copy after login

正则表达式:

private String CHECKSQL = “^(.+)\\sand\\s(.+)|(.+)\\sor(.+)\\s$”;
Copy after login

判断是否匹配:

Pattern.matches(CHECKSQL,targerStr);
Copy after login

下面是具体的正则表达式:

检测SQL meta-characters的正则表达式 :

/(\%27)|(\’)|(\-\-)|(\%23)|(#)/ix
Copy after login

修正检测SQL meta-characters的正则表达式 :

/((\%3D)|(=))[^\n]*((\%27)|(\’)|(\-\-)|(\%3B)|(:))/i
Copy after login

典型的SQL 注入攻击的正则表达式 :

/\w*((\%27)|(\’))((\%6F)|o|(\%4F))((\%72)|r|(\%52))/ix
Copy after login

检测SQL注入,UNION查询关键字的正则表达式

:/((\%27)|(\’))union/ix(\%27)|(\’)
Copy after login

检测MS SQL Server SQL注入攻击的正则表达式:

/exec(\s|\+)+(s|x)p\w+/ix
Copy after login

等等…..

3.字符串过滤

比较通用的一个方法:

(||之间的参数可以根据自己程序的需要添加)

public static boolean sql_inj(String str){
String inj_str = "'|and|exec|insert|select|delete|update|
count|*|%|chr|mid|master|truncate|char|declare|;|or|-|+|,";
String inj_stra[] = split(inj_str,"|");
for (int i=0 ; i < inj_stra.length ; i++ ){
if (str.indexOf(inj_stra[i])>=0){
return true;
}
}
return false;
}
Copy after login

4.jsp中调用该函数检查是否包函非法字符

防止SQL从URL注入:

sql_inj.java代码:

package sql_inj;
import java.net.*;
import java.io.*;
import java.sql.*;
import java.text.*;
import java.lang.String;
public class sql_inj{
public static boolean sql_inj(String str){
String inj_str = "'|and|exec|insert|select|delete|update|
count|*|%|chr|mid|master|truncate|char|declare|;|or|-|+|,";
Copy after login

//这里的东西还可以自己添加

String[] inj_stra=inj_str.split("\\|");
for (int i=0 ; i < inj_stra.length ; i++ ){
if (str.indexOf(inj_stra[i])>=0){
return true;
}
}
return false;
}
}
Copy after login

5.JSP页面判断代码:

使用javascript在客户端进行不安全字符屏蔽

功能介绍:检查是否含有”‘”,”\\”,”/”

参数说明:要检查的字符串

返回值:0:是1:不是

函数名是

function check(a){
return 1;
fibdn = new Array (”‘” ,”\\”,”/”);
i=fibdn.length;
j=a.length;
for (ii=0; ii<i; ii++)
{ for (jj=0; jj<j; jj++)
{ temp1=a.charAt(jj);
temp2=fibdn[ii];
if (tem’; p1==temp2)
{ return 0; }
}
}
return 1;
}
Copy after login

===================================

总的说来,防范一般的SQL注入只要在代码规范上下点功夫就可以了。

凡涉及到执行的SQL中有变量时,用JDBC(或者其他数据持久层)提供的如:PreparedStatement就可以 ,切记不要用拼接字符串的方法就可以了。

【相关推荐】

1. 特别推荐“php程序员工具箱”V0.1版本下载

2. 分享一个SQL注入的实例过程

3. 分享五个著名的SQL注入漏洞扫描工具

4. 分享一篇使用SQL注入漏洞拖库的实例讲解

The above is the detailed content of How to prevent sql injection? Introducing 5 ways to prevent SQL injection. For more information, please follow other related articles on the PHP Chinese website!

Related labels:
source:php.cn
Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Popular Tutorials
More>
Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template