SQL injection

SQL injection attacks is by constructing a special input as a parameter to a Web application, and some combination of these input is mostly in the SQL syntax, by executing the SQL statement, in turn, execution of the attacker’s to operation, its main reason is that the program did not carefully to filter the user input data, the illegal data into the system.

According to relevant technical principles, SQL injection can be divided into platform layer injection and code layer injection. The former is caused by insecure database configuration or database platform vulnerabilities; The latter is mainly due to the programmer not filtering the input carefully and thus performing illegal data queries. Based on this, the causes of SQL injection are usually shown in the following aspects: (1) improper type processing; ② Insecure database configuration; ③ Unreasonable query set processing; (4) improper error handling; (5) Improper handling of escape characters; ⑥ Multiple submissions are processed improperly.

protective

To sum up, there are mainly the following points:

1. Never trust user input. Verify user input, either through regular expressions or by limiting the length; For single quotes and

Double “-” for conversion, etc.

2. Never use dynamic assembled SQL, use parameterized SQL or directly use stored procedures for data query access.

3. Never use database connections with administrator privileges. Use separate database connections with limited privileges for each application.

4. Don’t store confidential information directly, encrypt or hash passwords and sensitive information.

5. The exception information of the application should provide as little information as possible. It is better to use custom error information to wrap the original error information

6. SQL injection detection methods generally take auxiliary software or website platform to detect, software generally uses SQL injection detection tool JSKY, website platform has Yisi website security platform detection tool. MDCSOFT SCAN, etc. Mdcsoft-ips can effectively defend against SQL injection and XSS attacks.

Dynamic sorting with $7. In addition to the order by outside, other all use #, # of the content will be as a string

protective

Related Posts

Nginx reverse proxy configuration removes prefixes

SpringCloud + JWT implements token-based login authentication

❤️ [Python Introduction project] Convert a student’s photo into a pencil sketch ❤️