How to Avoid SQL Injection Vulnerabilities

最新推荐文章于 2024-08-07 14:12:54 发布
最新推荐文章于 2024-08-07 14:12:54 发布
阅读量1.1k 收藏
点赞数
分类专栏: 渗透测试相关

https://www.owasp.org/index.php/Guide_to_SQL_Injection

There are two complementary and successful methods of mitigating SQL Injection attacks:

有两种互为补充的方法可以缓解SQL注入攻击:

  • Parameterized queries using bound, typed parameters
  • 使用绑定、类型参数进行参数化查询
  • Careful use of parameterized stored procedures.
  • 注意使用参数的储存过程

Parameterized queries are the easiest to adopt, and work in fairly similar ways among most web technologies in use today, including:

在现在大多数web技术中,参数化查询较容易使用,且运行过程相似:

  • Java
  • .NET
  • Perl
  • PHP

Parameterized Queries with Bound Parameters

Parameterized queries keep the query and data separate through the use of placeholders known as "bound" parameters. For example in Java, this looks like this:

参数化查询使用占位符(称之为绑定参数)使查询和数据分开。例如在Java中:

"select * from table where columna=? and columnb=?"

The developer must then set values for the two ? placeholders. Note that using this syntax without actually using the placeholders and setting values provides no protection against SQL injection.

开发这必须为两个问号占位符进行复制。注意:不使用占位符或者不设定值的语法不能提供SQL注入保护。

Parameterized Stored Procedures

The use of parameterized stored procedures is an effective mechanism to avoid most forms of SQL Injection. In combination with parameterized bound queries, it is very unlikely that SQL injection will occur within your application. However, the use of dynamic code execution features can allow SQL Injection as shown below:

参数化存储过程能够有效的应对多种SQL注入。结合参数化绑定查询,你的应用程序几乎可以避免出现SQL注入的问题。但是,使用动态代码执行的特点可以导致SQL注入问题,如下代码所示:

create proc VulnerableDynamicSQL(@userName nvarchar(25))as

 declare @sql nvarchar(255)
 set @sql = 'select * from users where UserName =  
   + @userName + '
 exec sp_executesql @sql

(MS SQL example from http://dotnetjunkies.com/WebLog/chris.taylor/archive/2004/10/13/28370.aspx)

The above example still allows SQL Injection as it allows dynamic injection of arbitrary string data. This is also true of Java / PL/SQL and MySQL's stored procedure support.

Least privilege connections

Always use accounts with the minimum privilege necessary for the application at hand, never “sa”, “dba”, “admin”, or the equivalent.

使用尽可能小的权限连接数据库,尽量不适用“sa”, “dba”, “admin”等

WARNING: Escaping table names

You must be very vigilant about mitigating SQL Injection when users supply table names, so in general it is best never to allow them to do so free-form. Allowing users to supply table names in free form seems to be a common issue with PHP forum software.

当用户提供数据表名字时,必须谨慎的处理SQL注入问题,所以一般情况下,尽可能避免允许用户随意提供数据表名。PHP论坛软件中普遍存在随意提供数据表名的问题。

$tablename = mysql_real_escape_string($tablename)

is simply not safe and cannot be made so.

In general:

  • Avoid using dynamic table names if at all possible.
  • 尽可能的避免动态表名
  • If you have to use dynamic table names, do not accept them from the user if at all possible.
  • 如果不得不使用动态表名,尽可能的不让用户提供
  • If you have to allow user-supplied table names, use your database management system's functionality for quoting identifiers. PostgreSQL, for example, supplies a quote_ident() function for this purpose. If your database management system does not have such functionality, you must assume that its other countermeasures against attacks from outside are insufficient to fend off anything, and should migrate off that database management system as soon as you can.
  • 如果不得不让用户提供表名,对于引用标示符使用数据库管理系统函数。例如,PostgreSQL提供了quote_ident()函数。如果数据库管理系统没有这样的函数,并且数据库管理系统的其他防护措施缺乏的话,尽可能的迁移数据库管理系统。
kezhen
关注
  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
专栏目录
Detecting SQL Injection Vulnerabilities
MyDriverC
10-16 400
http://intellavis.com/blog/?p=462
非常见SQL注入漏洞及利用 Unusual SQL injection vulnerabilities and how to exploit them
zhaohengyuan的专栏
04-08 7944
by By ogdan Calin    在本篇文章中,我会谈到一些不常见的SQL注入漏洞,并且说明如何利用这些漏洞。    和最近所报道的一些典型的SQL注入不同,在这种形式的注入漏洞中,攻击者可以控制SQL语句中的 ORDER BY,LIMIT或者GROUP BY 子句。    本篇文章中所有的示例都采用MySql做为终端数据库,这些技巧也可以用到其他数据库中。    
【30】WEB安全学习----XXE攻击
尚未佩妥剑 转眼便江湖
10-04 328
一、DTD知识 DTD 文档类型定义(DTD)可定义合法的XML文档构建模块。它使用一系列合法的元素来定义文档的结构。 DTD 可被成行地声明于 XML 文档中,也可作为一个外部引用。 内部的 DOCTYPE 声明 假如 DTD 被包含在您的 XML 源文件中,它应当通过下面的语法包装在一个 DOCTYPE 声明中: <!DOCTYPE 根元素 [元素声明]>   外...
SQL Injection
kezhen的专栏
03-23 2652
https://www.owasp.org/index.php/SQL_Injection Overview A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application. A succe
How To: Protect From SQL Injection in ASP.NET
weixin_34195142的博客
11-12 211
< DOCTYPE html PUBLIC -WCDTD XHTML TransitionalEN httpwwwworgTRxhtmlDTDxhtml-transitionaldtd> Summary This How To shows a number of ways to help protect your ASP.NET appli...
SQL Injection Prevention Cheat Sheet
gyc567的专栏
07-26 355
SQL Injection Prevention Cheat Sheet     Contents  [hide]  1 Introduction 2 Primary Defenses 2.1 Defense Option 1: Prepared Statements (Parameterized Queries) 2.2 Defense Option ...
SQL Injection through HTTP Headers
收集盒 Book box
07-05 1186
During vulnerability assessment or penetration testing, identifying the input vectors of the target application is a primordial step. Sometimes, when dealing with Web application testing, verification
Python Penetration Testing Essentials, 2nd Edition
04-23
By reading this book, you will learn different techniques and methodologies that will familiarize you with Python pentesting techniques... and how to create automated programs to find the admin console...
essential skills of java
04-16
- **Data Validation:** Ability to validate input data to prevent injection attacks like SQL injection and cross-site scripting (XSS). - **Sanitization Techniques:** Proficiency in sanitizing user ...
How to Hack a WordPress Site using SQL Injection
天元喜羊羊的博客
08-04 1373
http://www.flippercode.com/how-to-hack-wordpress-site-using-sql-injection First of all, My intention is not to teach someone how to hack sites of others and destroy others hardwork. This is g
How can I prevent SQL-injection in PHP?
happygogf的专栏
03-11 3398
2788down votefavorite 2528 If user input is inserted without modification into an SQL query, then the application becomes vulnerable to SQL injection, like in the following example: $unsafe_
mybatis like 模糊查询
08-29
Remember to properly handle any input parameters to avoid SQL injection vulnerabilities. You can use prepared statements or other mechanisms provided by MyBatis or your database to ensure safe ...
linux渗透测试常用命令
学-> 思->用
08-07 76
【代码】linux渗透测试常用命令。
Find-Sec-Bugs 漏洞范例
热门推荐
zhaohonghan的博客
04-03 1万+
Find-Sec-Bugs 漏洞范例 欢迎使用Markdown编辑器 你好! 这是你第一次使用 Markdown编辑器 所展示的欢迎页。如果你想学习如何使用Markdown编辑器, 可以仔细阅读这篇文章,了解一下Markdown的基本语法知识。 新的改变 我们对Markdown编辑器进行了一些功能拓展与语法支持,除了标准的Markdown编辑器功能,我们增加了如下几点新功能,帮助你用它写博客: ...
购物节抽奖小程序(源码).zip
最新发布
09-10
购物节抽奖小程序(源码).zip
分享:灵敏度分析.docx
09-10
灵敏度分析是一种评估模型输出对于输入参数变化的敏感程度的方法。在不同的领域,灵敏度分析可以有不同的应用和意义,但基本概念是相似的。以下是灵敏度分析在几个不同领域的常见应用: 1. **金融建模**:在金融领域,灵敏度分析通常用来评估投资组合对市场变量(如利率、汇率、股价波动等)的敏感性。通过这种分析,投资者可以理解不同市场条件变化对投资组合价值的潜在影响。 2. **环境科学**:在环境影响评估中,灵敏度分析可以帮助科学家了解生态系统对不同压力(如温度变化、污染物增加等)的响应程度。这有助于制定更有效的环境保护措施。 3. **工程学**:工程师在设计系统或结构时,会进行灵敏度分析来确定哪些参数对系统性能影响最大,从而优化设计和降低潜在风险。 4. **医学研究**:在临床试验和流行病学研究中,灵敏度分析用于评估结果对于模型假设或数据处理方法的依赖性。 5. **能源领域**:在能源系统分析中,灵敏度分析可以帮助评估能源消耗和生产对价格、技术进步和政策变化的敏感性。 6. **供应链管理**:企业通过灵敏度分析来评估供应链对各种风险因素(如供应中断、需求波动等)的敏感性,以
sql injection
03-29
SQL injection is a type of cyber attack where an attacker injects malicious ... Regular security audits and vulnerability assessments can also help to identify and mitigate SQL injection vulnerabilities.
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值