- Great dangers of SQL injection attacks. Before explaining its approach to prevent, database administrators need to first understand what the principle of attack. This facilitates the administrator to take preventive measures targeted.
- SQL injection is an attack more common way for databases. In this attack, the attacker will be a number of malicious code into a string. The string is then passed to instances by various means SQLServer database for analysis and execution. As long as the malicious code in line with the rules of the SQL statement, then the code is compiled with the implementation of the time, it will not be found in the system.
- The main form of SQL injection attacks, there are two. First, code is inserted directly into the SQL command, and connected in series such that the user performs input variables. The author cited above example is the use of this method. Due to its directly tied to the SQL statement, it is also known a direct injection attack method. The second is an indirect attack, the malicious code injection will be stored in a table or as a character string data stored in the original book. It will be stored in the string connected to a dynamic SQL command, SQL to perform some malicious code.
- Work early termination of the injection process is a text string, and then append a new command. Such as direct injection attacks, for example. That is, when the user input variables, the first end of the current statement with a semicolon. Then insert a malicious SQL statement can be. Since the insertion commands may append another character string prior to execution, the attacker is often labeled with a comment "-" injected to terminate the string. When executed, the system will think Thereafter position statement notes, so the subsequent text will be ignored, not back compile and execute.
Reproduced in: https: //my.oschina.net/766/blog/211522