Mysql injection defense

Others 2021-03-28 10:23:47 views: null

Mysql injection defense


1. Application layer defense

1. The essential reason for SQL injection is the application layer problem

2. The goal of SQL injection application layer defense is to repair all possible vulnerabilities in SQL and take precautions

  • Filter SQL injection basic characters:

'or "string closure

– Or # Single line comment

/*...*/ Multi-line comments

+ Plus sign, replace space splicing characters in url

concat character splicing

% Wildcard

?Param1=foo&Param2=bar url parameter

select url printing constants, etc.

@variable local variables

@@variable global variable

Sleep 10 Sleep for 10 seconds

  • Filter SQL keywords

    如:add asc call check cross database both databases alter as by case create

  • Overall encryption of URL parameters

    • Original URL

      https://61.106.xxx.xxx/corp/tokusyu.php?mid=1&tksid=473

    • Entire encryption processing

      https://61.206.xxx.xxx/corp/tokusyu.php?action=LSKDJFOINWHEO


2. System-level defense

1. The essential reason for SQL injection is not a system-level problem

2. The auxiliary role of the defense at the system layer is to prevent SQL injection from interacting with the system layer to escalate rights, and to prevent further expansion of SQL injection permissions, making SQL injection useless at the system layer.

  • Iptables restrictions only allow specific server IP and port login

    After the hacker SQL injection succeeds in escalation, prevent spreading to other servers

  • Use application firewall to reject waf for SQL injection

  • Database security middleware, such as greenSQL, security dog, etc.


Third, the database layer defense

1. The essential cause of SQL injection is not a problem with the database layer

2. The goal of database layer defense is auxiliary, to prevent SQL injection and data layer interaction to escalate rights, to prevent further expansion of permissions and data leakage after successful SQL injection

  • Principles of Minimizing Database

    revoke file on *.* from zhangsan@'%'; //Deprive user zhangsan of reading file permissions

    The allocation of permissions for program connections is based on the principle of minimization, so don’t be generous if you can save it

    If most data programs are connected with select, insert, update and delete permissions, then only these permissions are given. In this way, there is no FILE permission required to read files in the file system layer, so the path to interact with the system layer to escalate rights is blocked, making SQL injection useless.

  • Standardization requirements for database layer design

    • The requirements of this DBA professional SQL review

    • How to design to maintain high performance as much as possible, while also preventing the possibility of SQL guessing errors

    • Database architecture design considers the trade-off between performance and security, and usually consider the compromise of security on the premise of ensuring performance

      Varchar(20) compromise between safety and performance

      varchar(5) is biased towards performance, as a result, performance and safety are not at the same time

Guess you like

Origin blog.csdn.net/qq_43665434/article/details/114629924
Recommended
Ranking
error: (-215:Assertion failed) !_img.empty() in function ‘cv::imwrite‘
Database migration between Navicat servers
Minimum number of rotation of the array: Array
balenaEtcher for mac (make a boot disk software) v1.5.67
Custom processing serialization and deserialization in jackson
Mu-en-mask system development software
Mastering Regular Expressions
Find mileage Java--
Web pages can not directly concern the public micro-channel number how to do? A key to arouse public concern number of micro-channel solutions
[CodeForces - 739B] Alyona and a tree Tree + [difference] + bipartite
Daily
More
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)

Code World

© 2018 codetd.com