Introduction to SQL Injection
SQL injection is one of the more common ways of network attack. It does not use the BUG of the operating system to implement the attack, but for programmer's negligence in programming, through the SQL statement, to achieve no account login, or even tamper with the database.
2. General idea of SQL injection attack
1. Find the location of the SQL injection
2. Determine server type and background database type
3. SQL injection attacks against different server and database characteristics
3. Examples of SQL Injection Attacks
For example, in a login interface, a user name and password are required:
You can enter an account-free login as follows:
User name:''or 1 = 1 --
Password:
Click-on login, and if no special handling is done, the illegal user will be proud to log in. (Of course, some language database API s now handle these issues.)
Why? Let's analyze the following:
Theoretically, there will be the following SQL statements in the background authentication program:
String sql = "select * from user_table where username='"+userName+"' and password=' "+password+" '";
When you enter the user name and password above, the above SQL statement becomes:
SELECT * FROM user_table WHERE username=''or 1 = 1 -- and password=''
Analyzing SQL statements:
The condition followed by username="or 1=1 User name equals" or 1=1 will succeed;
Then add two'-', which means a comment, which annotates the following statement so that they don't work, so the statement can always be executed correctly, and users can easily trick the system into obtaining legal identity.
This is still more gentle, if it is executed
SELECT * FROM user_table WHERE username='' ;DROP DATABASE (DB Name) --' and password=''
...The consequences are conceivable...
4. Responses
Here's how to deal with JSP:
1. (Simple and effective method) PreparedStatement
With a precompiled statement set, it has built-in ability to handle SQL injection by simply passing values using its setXXX method.
Benefits of use:
- Readability and maintainability of code.
- PreparedStatement maximizes performance.
- Most importantly, it greatly improves security.
Principle:
- sql injection can only destroy the preparation (compilation) of sql statements
- PreparedStatement is ready, and the execution phase simply processes the input string as data.
- Instead of parsing the sql statement and preparing it, sql injection is avoided.
2. Use regular expressions to filter incoming parameters
Packages to be introduced:
import java.util.regex.*;
Regular expression:
private String CHECKSQL = "^(.+)\\sand\\s(.+)|(.+)\\sor(.+)\\s$";
Determine whether it matches:
Pattern.matches(CHECKSQL,targerStr);
Here are the specific regular expressions:
Detect regular expressions for SQL meta-characters:
/(\%27)|(\')|(\-\-)|(\%23)|(#)/ix
Correct regular expressions that detect SQL meta-characters:
/((\%3D)|(=))[^\n]*((\%27)|(\')|(\-\-)|(\%3B)|(:))/i
Regular expressions for typical SQL injection attacks:
/\w*((\%27)|(\'))((\%6F)|o|(\%4F))((\%72)|r|(\%52))/ix
Detecting SQL injection, regular expressions for UNION query keywords:
/((\%27)|(\'))union/ix(\%27)|(\')
Regular expressions to detect MS SQL Server SQL injection attacks:
/exec(\s|\+)+(s|x)p\w+/ix
3. String Filtering
A more general method: (|| parameters can be added as needed by your program)
public static boolean sql_inj(String str) { String inj_str = "'|and|exec|insert|select|delete|update|count|*|%|chr|mid|master|truncate|char|declare|;|or|-|+|,"; String inj_stra[] = split(inj_str,"|"); for (int i=0 ; i< inj_stra.length ; i++ ) { if (str.indexOf(inj_stra[i])>=0) { return true; } } return false; }
4.jsp Call this function to check if the package contains illegal characters
Prevent SQL injection from URL s:
public static boolean sql_inj(String str) { String inj_str = "'|and|exec|insert|select|delete|update|count|*|%|chr|mid|master|truncate|char|declare|;|or|-|+|,"; //You can add things here yourself String[] inj_stra=inj_str.split("\\|"); for (int i=0 ; i< inj_stra.length ; i++ ) { if (str.indexOf(inj_stra[i])>=0) { return true; } } return false; } }
5.JSP page judgment code:
Use javascript for unsecured character masking on clients
Function description: Check if it contains'','\','/'
Parameter description: String to check
Return value: 0: 1: No
The function name is
function check(a) { return 1; fibdn = new Array ("'" ,"\\","/"); i=fibdn.length; j=a.length; for (ii=0; ii<i; ii++) { for (jj=0; jj<j; jj++) { temp1=a.charAt(jj); temp2=fibdn[ii]; if (tem'; p1==temp2) { return 0; } } } return 1; }