What Is an SQL Injection?
SQL injection means that the web application has not judged the validity of the data entered by the user or is not strict in filtering. The attacker can add additional SQL statements to the end of the query statement defined in the web application in advance, without the administrator's knowledge. In this case, illegal operations are implemented, so as to deceive the database server to perform unauthorized arbitrary queries, thereby further obtaining corresponding data information. [1]
- SQL is operation
- 1. Extensive
- Any one based
- SQL injection attack is to modify the SQL statement by operating the input to achieve the method of executing code to attack the WEB server. Simply put, it is the process of inserting SQL commands into the post / getweb form, entering the domain name or the query string of the page request, and finally causing the web server to execute malicious commands. An example of a SQL injection attack can be illustrated briefly. Assume that the URL of a website page is http://www.example.com?test=123. At this time, the URL actually passes the variable test with the value 123 to the server, which indicates that the current page is the result of a dynamic query against the database. From this, we can insert malicious SQL statements into the URL and execute them. In addition, during the website development process, developers use dynamic strings to construct SQL statements to create the required applications. In this case, the SQL statements are dynamically constructed and used during the execution of the program and can be generated according to different conditions. Different SQL statements, such as the need to query fields in the database according to different requirements. Such a development process actually leaves a lot of opportunities for SQL injection attacks. [4]
- Any application system developed using a database may have a vector for SQL injection attacks. Since 1999, SQL injection vulnerabilities have become one of the common security vulnerabilities. SQL injection so far
- Step 1: SQL injection point detection. Detecting SQL injection points is a critical step. With proper analysis of the application, you can determine where SQL injection points exist. Usually as long as the dynamic web page with input submission and the dynamic web page access the database, SQL injection vulnerabilities may exist. If the programmer's awareness of information security is not strong, and dynamic construction of SQL statements is used to access the database, and the user's input is not validated, the possibility of SQL injection vulnerabilities is very high. Generally, the error information of the page is used to determine whether there is a SQL injection vulnerability. [6]
- Because the program did not judge the rationality of the user input data when writing the program, the attacker could mix the code into the SQL Injection injection point for execution and use the prompts returned on the page to obtain the information required for the next attack. According to the input parameters, SQL injection methods can be roughly divided into two types: digital injection and character injection. [7]
- SQL injection attack is one of the most common methods in current web application network attacks. The security risk is high, which exceeds the buffer overflow to a certain extent.
- 1.Bool based blinds
- Because the web pages return values are True or False, Boolean blind injection is a way to get database information based on the page return value after injection. [1]
- There are currently two main types of detection methods for SQL injection. The first is dynamic monitoring, that is, when the system is running, it is usually used during the system acceptance phase or online operation phase. The system is scanned using dynamic monitoring attacks, and then based on the scan The result determines whether there is a SQL injection vulnerability. Second: static detection, also known as static code scanning, does deep analysis of the code. [5]
- The harm of SQL injection attacks is great, and it is difficult for the firewall to intercept the attacks. The main SQL injection attack prevention methods include the following aspects. [9]
- 1. Hierarchical management
- Hierarchical management of users, strict control of user permissions, ordinary users are prohibited from granting database creation, deletion, modification and other related permissions, and only the system administrator has the permissions to add, delete, modify, and check. For example, in the above example, the user added a drop table to the query. It must not be allowed to execute, otherwise the database security of the system cannot be guaranteed. Therefore, the design restriction of permissions. This allows even malicious attackers to embed the relevant attack code when data is submitted. However, because the permissions are set, the code cannot be executed. Thereby reducing the security threat of SQL injection to the database. [9]
- 2.Parameter passing
- When programmers write SQL language, it is forbidden to write variables directly to SQL statements, and they must pass related variables by setting corresponding parameters. Thus suppressing SQL injection. Data entry cannot be embedded directly into the query. At the same time, the input content should be filtered to filter out unsafe input data. Or use input parameters to pass input variables. This can prevent SQL injection attacks to the greatest extent. [9]
- 3. Basic filtering and secondary filtering
- Before the SQL injection attack, the intruder submits special characters such as "and" by modifying the parameters to determine whether there are loopholes, and then writes SQL injection statements through various characters such as select and update. Therefore, to prevent SQL injection, user input must be checked to ensure the security of data input. When specifically checking input or submitted variables, characters such as single quotes, double quotes, and colons are converted or filtered to effectively prevent SQL injection. Of course, there are many dangerous characters. When obtaining the parameters submitted by the user, first perform basic filtering, and then perform secondary filtering according to the function of the program and the possibility of user input to ensure the security of the system. [9]
- 4. Use safety parameters
- In order to effectively suppress the impact of SQL injection attacks on the SQL database. Special SQL security parameters were set during the SQLServer database design. When writing programs, you should try to use security parameters to prevent injection attacks. So as to ensure the security of the system. [9]
- The SQLServer database provides the Parameters collection. Its function in the database is to perform type checking and length verification on the data. When the programmer adds the Parameters collection during program design, the system will automatically filter out the execution code in the user input and identify it as Character value. If the user's input contains malicious code, the database can also filter it out during inspections. The Parameters collection can also perform mandatory checks. Once the check value is out of range. The system will report an abnormal error, and send the information to the system administrator at the same time, so that the administrator can take corresponding preventive measures. [9]
- 5. Vulnerability scanning
- In order to prevent SQL injection attacks more effectively, in addition to setting effective preventive measures for system management, it is also necessary to find out in time that SQL system security vulnerabilities exist in the system. System administrators can purchase SQL vulnerability scanning tools for some specialized systems, and through professional scanning tools, they can timely detect the corresponding vulnerabilities in the system. Although vulnerability scanning tools can only detect SQL injection vulnerabilities, they cannot prevent SQL injection attacks. However, the system administrator can take the corresponding security measures to block the corresponding vulnerabilities through the scanned security vulnerabilities, thereby closing the door of the SQL injection attack, thereby ensuring the security of the system. [9]
- 6.Multi-layer verification
- The function of the website system is becoming more and more complicated. In order to ensure the security of the system, the data input of the visitor must pass strict verification before entering the system. Inputs that fail the verification are directly denied access to the database, and an error message is sent to the upper system. At the same time, the relevant input information of the visitor is verified in the client access program, so as to more effectively prevent simple SQL injection. However, if the lower layers in the multi-level authentication pass the authentication data, then an attacker who bypasses the client can access the system at will. Therefore, when conducting multi-level verification, each level must cooperate with each other. Only effective verification and protection on both the client and the system side can better prevent SQL injection attacks. [9]
- 7, database information encryption
- Traditional encryption and decryption methods can be roughly divided into three types: [9]
- (1) Symmetric encryption: The encryption and decryption parties use the same encryption algorithm and key. The key storage of this scheme is very critical because the algorithm is public and the key is kept secret. Once the key is leaked, Hackers can still easily decrypt it. Common symmetric encryption algorithms are: AES, DES, etc. [9]
- (2) Asymmetric encryption: That is, different keys are used for encryption and decryption. The keys are divided into public and private keys. The data encrypted with the private key must be decrypted with the public key. The data encrypted with the public key must also Use the corresponding private key to decrypt. Common asymmetric encryption algorithms are: RSA and so on. [9]
- (3) Irreversible encryption: Hash algorithm is used to make the data unable to be decrypted back to the original data. Such hash algorithms are commonly used: md5, SHA-1 and so on. [9]