Shulou(Shulou.com)06/02 Report--

This article mainly introduces "what are the methods to prevent SQL injection in web projects". In daily operation, I believe many people have doubts about preventing SQL injection in web projects. The editor consulted all kinds of materials and sorted out simple and easy-to-use methods of operation. I hope it will be helpful to answer the questions of "what are the methods of preventing SQL injection in web projects?" Next, please follow the editor to study!

I. brief introduction of SQL injection

SQL injection is one of the more common network attacks, it does not use the BUG of the operating system to achieve the attack, but aims at the programmer's negligence in writing, through the SQL statement to achieve no account login, or even tamper with the database.

Second, the general idea of SQL injection attack.

1. Find the location of SQL injection

two。 Determine the server type and background database type

3. SQL injection attacks based on different server and database characteristics

Third, an example of SQL injection attack

For example, in a login interface, you are required to enter a user name and password:

You can enter this to achieve account-free login:

User name:'or 1 = 1-

Secret code:

Click to log in, if there is no special treatment, then the illegal user will proudly log in. (of course, today's database API in some languages has dealt with these problems.)

Why is that? Let's analyze it:

In theory, the background authentication program will have the following SQL statement:

String sql = "select * from user_table where username='" + userName+ "'and password='" + password+ "'; when the user name and password above are entered, the above SQL statement becomes: SELECT * FROM user_table WHERE username=''or 1 user 1-and password=''"analyze the SQL statement: after the condition username=" or 1 user name equals "or 1 user name is equal to 1, then this condition will be successful And then add two--, which means comments, which annotates the following statements so that they don't work, so that the statements can always be executed correctly, and the user can easily fool the system and get a legal identity. This is relatively gentle, if it is the implementation of SELECT * FROM user_table WHEREusername=''; DROP DATABASE (DB Name)-- "the consequences of and password='' can be imagined." 4. How to prevent SQL injection

Note: any program that has a SQL injection vulnerability is because the program accepts a variable entered by the client user or a parameter passed by URL, and this variable or parameter is part of the SQL statement

We should always be vigilant about the content entered or parameters passed by users. This is the principle of "external data can not be trusted" in the security field. Throughout the various attacks in the field of Web security.

Most of them are caused by developers violating this principle, so what you can naturally think of is to start with the detection, filtering and verification of variables to ensure that variables are what developers expect.

1. Check the variable data type and format

If your SQL statement is similar to where id= {$id}, and all the id in the database are numbers, then you should check to make sure that the variable id is the int type before the SQL is executed; if you accept a mailbox, you should check and strictly ensure that the variable must be in the mailbox format, and other types such as date, time and so on are the same. To sum up: as long as it is a variable with a fixed format, it should be checked strictly according to the fixed format before the execution of the SQL statement to make sure that the variable is in our expected format, which can largely avoid SQL injection attacks.

For example, in our previous example of accepting username parameters, our product design should have a user name rule at the beginning of user registration, such as 5-20 characters, which can only be composed of uppercase and lowercase letters, numbers and some safe symbols, without special characters. At this point we should have a function of check_username to perform a unified check. However, there are still many exceptions that cannot be applied to this criterion, such as article publishing systems, comment systems, etc., where users must be allowed to submit arbitrary strings, which requires filtering and other solutions.

2. Filter special symbols

For variables that cannot be determined in a fixed format, special symbol filtering or escape processing must be performed.

3. Bind variables and use precompiled statements

The mysqli driver of MySQL provides support for precompiled sentences. Different programming languages have their own methods of using precompiled sentences.

In fact, binding variables using precompiled statements is the best way to prevent SQL injection. The semantics of precompiled SQL statements do not change. In SQL statements, variables use question marks? Indicates that no matter how skilled the hacker is, he cannot change the structure of the SQL statement.

At this point, the study on "what are the methods to prevent SQL injection in web projects" is over. I hope to be able to solve your doubts. The collocation of theory and practice can better help you learn, go and try it! If you want to continue to learn more related knowledge, please continue to follow the website, the editor will continue to work hard to bring you more practical articles!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.