The so-called SQL injection, that is inserted into SQL commands via the Web form to submit or enter a domain name or page request query string, and ultimately to deceive the server to execute malicious SQL commands, such as the previously leaked a lot of video sites mostly through VIP membership password WEB submit a query form character storms out of such forms are particularly vulnerable to SQL injection attacks. When the most vulnerable to sql injection attack When an application uses input to construct dynamic sql statement to access the database, sql injection attacks occur. If the code using stored procedures, stored procedures, as these contain unfiltered user input string to pass, will occur sql injection. sql injection may cause an attacker to use the application to execute commands in the database log. Can be related to SQL injection testing tools pangolin can be. If the application uses the high privilege account to connect to the database, this problem will become very serious. In some form, the user input to construct dynamic sql command directly, or as a stored procedure input parameters, these forms are particularly vulnerable to sql injection attacks. Many sites in the writing process, not the user input to determine the legality of the program itself, or improper handling of variables, so that application security risk. In this way, users can submit a database query code, according to the procedure to return the results to obtain sensitive information or control the entire server, so sql injection occurred. How to prevent SQL Injection Summarize the following main points: 1. Never trust user input. Verify the user's input can be a regular expression, or limit the length; of single and double "-" for conversion. 2 Never use the dynamic assembly sql, sql you can use parameterized stored procedures or direct use of data query access. 3. Never connect the database with administrator privileges, use a separate application for each of the limited access database connection.
4 Do not store sensitive information directly, or hash out encryption password and sensitive information. 5 Application exception information should be given tips as little as possible, preferably using a custom error message error message on the original packaging 6.sql into the detection methods in general, or website platform supporting software to detect, the software generally use the sql injection detection tool jsky, web platform, there Yisi site security platform testing tool.
No comments:
Post a Comment