SQL injection attacks (SQL Injection), referred to injection attacks, Web development is the most common form of security vulnerabilities. You can use it to obtain sensitive information from the database, or the use of the characteristics of the process of adding users to the database, export file and a series of malicious actions, there may even get a database as well as the highest authority system users.
SQL injection caused because the program does not effectively filter user input, so that an attacker successfully submitted to the server malicious SQL query code, the program will receive the error after the attacker's input as a part of query execution, leading to the original the query logic is changed, the additional execution of attacker crafted malicious code.
Many Web developers do not realize how SQL queries can be tampered with, so that an SQL query is a trusted command. As everyone knows, SQL queries are able to circumvent access controls, thereby bypassing standard authentication and authorization checks. What is more, it is possible to run SQL queries through the host system level commands.
The following will be some real examples to explain in detail the way SQL injection.
Consider the following simple login form :
<form action="/login" method="POST">
<p>Username: <input type="text" name="username" /></p>
<p>Password: <input type="password" name="password" /></p>
<p><input type="submit" value="Login" /></p>
</form>Our processing inside the SQL might look like this :
username := r.Form.Get("username")
password := r.Form.Get("password")
sql := "SELECT * FROM user WHERE username='" + username + "' AND password='" + password + "'"If the user input as the user name, password, any
myuser' or 'foo' = 'foo' --Then our SQL becomes as follows:
SELECT * FROM user WHERE username='myuser' or 'foo'=='foo' --'' AND password='xxx'In SQL, anything after -- is a comment. Thus inserting -- alters the query. This allows the attacker to successful login as a user without a valid password.
There are far more dangerous for a MSSQL SQL injection, is the control system, the following examples will demonstrate how terrible in some versions of MSSQL database to perform system commands.
sql := "SELECT * FROM products WHERE name LIKE '%" + prod + "%'"
Db.Exec(sql)If the attacker Submit a%' exec master..xp_cmdshell 'net user test testpass /ADD' -- prod value as a variable, then the sql will become
sql := "SELECT * FROM products WHERE name LIKE '%a%' exec master..xp_cmdshell 'net user test testpass /ADD'--%'"MSSQL Server executes the SQL statement, including its back that is used to add new users to the system commands. If this program is run sa and the MSSQLSERVER service sufficient privileges, the attacker can get a system account to access this machine.
Although the examples above is tied to a specific database systems, but this does not mean that other database systems can not implement a similar attack. In response to this vulnerability, as long as the use of different methods, various databases are likely to suffer.
Perhaps you will say the attacker to know the database structure information in order to implement SQL injection attacks. True, but no one can guarantee the attacker must get this information, once they got, the database exists the risk of leakage. If you are using open source software to access the database, such as forum, the intruders easily get the related code. If the code is poorly designed, then the risk is even greater. Currently Discuz, phpwind, phpcms popular open source programs such as these have been precedents of SQL injection attacks.
These attacks happen when safety is not high on the code. So, never trust any kind of input, especially from the user's data, including the selection box, a hidden input field or a cookie. As a first example above it, even if it is a normal query can cause disasters.
SQL injection attacks harm so great, then how to combat it ? Following suggestions may be the prevention of SQL injection have some help.
- Strictly limit the operation of the Web application database permissions to this user is only able to meet the minimum permissions of their work, thus to minimize the harm to the database injection attacks.
- Check whether the data input has the expected data format, and strictly limit the types of variables, such as using some regexp matching processing package, or use strconv package right string into other basic types of data to judge.
- Pairs of special characters into the database ( '"&*; etc. ) be escaped, or transcoding. Go to
text/templatepackage inside theHTMLEscapeStringfunction can be escaped strings. - All the recommended database query parameterized query interface, parameterized statement uses parameters instead of concatenating user input variables in embedded SQL statements that do not directly spliced SQL statement. For example, using
database/sqlinside the query functionPrepareandQuery, orExec(query string, args... interface {}). - In the application before releasing recommend using a professional SQL injection detection tools to detect, and repair was discovered when a SQL injection vulnerability. There are many online open source tool in this regard, for example, sqlmap, SQLninja so on.
- Avoid printing out SQL error information on webpage in order to prevent an attacker using these error messages for SQL injection. Ex. such as type errors, and fields not matching, or any SQL statements.
Through the above example we can know, SQL injection is harmful to considerable security vulnerabilities. So we usually write for a Web application, it should be for every little detail must attach great importance to the details determine the fate of life is so, writing Web applications as well.
- [Directory] (preface.md)
- Previous section: [XSS attacks] (09.3.md)
- Next section: [Password storage] (09.5.md)