In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-01-29 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Database >
Share
Shulou(Shulou.com)06/01 Report--
This article will explain in detail how to prevent sql injection from mysql. The editor thinks it is very practical, so I share it with you for reference. I hope you can get something after reading this article.
SQL Injection attacks are very harmful. Attackers can use it to read, modify or delete data in the database, obtain sensitive information such as user names and passwords in the database, and even obtain the authority of the database administrator. If you can use SQLServer extended stored procedures and custom extended stored procedures to execute some system commands, the attacker can also gain control of the system. Moreover, SQL Injection is also difficult to prevent. Webmasters cannot protect themselves by installing system patches or simple security configuration, and ordinary firewalls cannot block SQL Injection attacks.
How does mysql prevent sql injection?
1. There should be a strict distinction between the permissions of ordinary users and system administrator users.
If an ordinary user embeds another Drop Table statement in a query statement, is execution allowed?
Because the Drop statement is related to the basic objects of the database, the user must have the relevant permissions to operate this statement. In the permission design, for the end users, that is, the users of the application software, it is not necessary to give them the rights to establish and delete database objects.
Then even if they use SQL statements with embedded malicious code, due to their user rights restrictions, the code will not be executed. Therefore, when the application is designed,
two。 Force the use of parameterized statements.
If the variables entered by the user are not directly embedded in the SQL statement when writing the SQL statement. If you pass this variable through parameters, you can effectively prevent SQL injection attacks.
That is, the user's input must not be embedded directly in the SQL statement. In contrast, the user's input must be filtered, or parameterized statements must be used to pass the user's input variables. Parameterized statements use parameters instead of embedding user input variables in SQL statements. Adopt this measure
Most SQL injection attacks can be eliminated. Unfortunately, there are not many database engines that support parameterized statements. However, database engineers should try their best to use parameterized statements when developing products.
3. Use the security parameters that come with the SQL Server database frequently.
In order to reduce the adverse effects of injection attacks on SQLServer database, relatively secure SQL parameters are specially designed in SQLServer database. In the process of database design, engineers should try their best to use these parameters to prevent malicious SQL injection attacks.
For example, the Parameters collection is provided in the SQL Server database. This collection provides type checking and length verification. If the administrator adopts the Parameters collection, the user input will be treated as a character value rather than executable code. Even if the user's input contains executable code, the database is filtered out. Because at this time, the database only treats it as ordinary characters. Another advantage of using Parameters collections is that type and length checks can be enforced, and values outside the range will trigger exceptions.
If the value entered by the user does not meet the specified type and length constraints, an exception occurs and is reported to the administrator. As in the case above, if the employee number defines a data type of string type with a length of 10 characters. Although the content entered by the user is also character type data, but its length is up to 20 characters. An exception is thrown because the length of the content entered by the user exceeds the limit for the length of the database field.
4. Strengthen the verification of user input.
Generally speaking, there are two ways to prevent SQL injection attacks.
One is to strengthen the inspection and verification of user input, and the other is to force the use of parameterized statements to transmit user input.
In SQLServer database, there are many user input verification tools that can help administrators deal with SQL injection attacks. Test the contents of the string variable, accepting only the desired values. Rejects input that contains binary data, escape sequences, and comment characters. This helps prevent script injection and some buffer overflow attacks. Test the size and data type of user input and enforce appropriate restrictions and conversions. This helps to prevent intentional buffer overflow and has an obvious effect on the prevention of injection attacks.
For example, you can use stored procedures to validate the user's input. Stored procedures can be used to filter user input variables, such as rejecting some special symbols. As in the malicious code above, as long as the stored procedure filters out the semicolon, there is no chance for the malicious code to show its talent.
Before executing the SQL statement, you can reject some special symbols through the stored procedures of the database. Without affecting the database application, the database should be asked to reject input that contains the following characters. Such as the semicolon delimiter, it is the main accomplice of SQL injection attacks. Such as comment delimiters. Annotations can only be used when designing data. There is no need to comment in the query statement of the general user, so he can be rejected directly, usually without accidental loss. Reject these special symbols, and even if malicious code is embedded in the SQL statement, they will do nothing.
Therefore, always validate the user input and filter the user input through the test type, length, format and scope. This is a common and effective measure to prevent SQL injection attacks.
5. How to prevent SQL injection attacks in Multi-tier Environment
In a multi-tier application environment, all data entered by the user should be verified before it can be allowed to enter the trusted area.
Data that fails the validation process should be rejected by the database and an error message should be returned to the upper layer. Implement multi-layer verification. Precautions taken against aimless malicious users may not be effective against determined attackers.
It is better to validate input in the user interface and at all subsequent points across trust boundaries. For example, validating data in a client application can prevent simple script injection.
However, if the next layer believes that its input has been validated, any malicious user who can bypass the client can have unrestricted access to the system. Therefore, for multi-tier application environment, when preventing injection attacks, all layers need to work together, and corresponding measures should be taken to prevent injection attacks of SQL statements on both the client side and the database side.
On mysql to prevent sql injection methods to share here, I hope that the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 253
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.