Shulou(Shulou.com)05/31 Report--

This article introduces you how the four misunderstandings of SQL injection vulnerabilities are, the content is very detailed, interested friends can refer to, hope to be helpful to you.

SQL injection has been an old topic, but it is still one of the biggest security risks we face as developers and database professionals.

Millions of individual user information is leaked every year, mostly due to lax SQL queries in the coding process. In fact, SQL injection is completely preventable as long as it is written correctly.

I'll highlight four common misunderstandings about SQL injection. Safety is no small matter, no one should have any illusions about it!

Watch the video

1. "my database information is not public, so it is safe"

Maybe you do a good job of keeping database information secret, but is it really safe? In fact, it is entirely possible for an attacker to guess common database names and table names as long as they have an understanding of them. For example, you may have created the following tables in your database:

Users

Inventory

Products

Sales

Wait for...

These are some very highly used table names, especially when some database developers use default table names to save time. These are very dangerous operations, and attention should be paid to these details from the initial development.

2. "create confusing table name column names, naming conventions that only you can understand"

It seems that the attacker can't easily guess the name in this way, but don't ignore the existence of system tables like sys.objects and sys.columns!

SELECT t.name, c.name FROM sys.objects t INNER JOIN sys.columns c on t.object_id = c.object_id on t.object_id = c.object_id

An attacker can easily write the above query to learn about your "secure" naming convention.

If you have a watch name that is not commonly used, that's fine, but don't use it as your only defense.

3. "injection is a problem that developers / dba/ others should solve"

It is true that SQL injection is a problem that developers / dba/ others should solve. But this is by no means a unilateral personnel problem. Security requires multi-faceted cooperation, and both developers / dba/ others need to solve the problem.

Preventing sql injection is difficult.

Developers should verify, filter, parameterize. DBA should be parameterized, filtered, restricted access, etc.

Multi-tier security in applications and databases is the only way to effectively prevent SQL injection attacks.

4. "there are so many targets on the network that I will never be the one to be attacked."

Maybe you think you won't be so unlucky, or your business data is not worth stealing by attackers. But don't forget that most SQL injection attacks can use fully automated tools like sqlmap. They may not care about your business, but that doesn't stop them from stealing your user data in an automated way.

Remember! No matter the size of your business, you can't avoid the threat from automated SQL injection tools.

This is the end of the four misunderstandings about SQL injection vulnerabilities. I hope the above content can be helpful to you and learn more. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.