sql injection commonly used method of determining

First, what is the sql inject it?

　　SQL injection is to change the logical structure of the original SQL statement, so that the original intent of the results and the developer of the SQL statement is not the same;

Why sql injection will happen then?

　　1. The program development process, pay attention to writing specifications on the sql statement and keyword filtering is not preventing the client can get or post sql statement submitted to the server by running a global variable;

　　2. useless pretreatment parameters is equivalent to the statement submitted form data when parameters are passed spliced ​​into a complete statement and then query the execution of other statements in the course of implementation. Such examples that the statement was originally selete * from user where username = [parameter 1] and password = [parameter 2], but after the splicing of the parameters of the user transmission, execution time is: select * from user where username = '' or 1 = 1 # and password = [parameter 2], after the # is equivalent to a comment, actual implementation is to select * from user where username = '' or 1 = 1, and 1 = 1 is true, true returns true or, Therefore, the data is actually returned the entire table. So the result set is not zero, and therefore a login successful.

 

How sql injection judge it?

　　

　　1. Analyzing shaping parameters

　　　　Usually news.asp original SQL statement is as follows:

　　　　　　select * from table where field = xx, it is possible to test whether the presence of the following SQL injection step.

　　　　　　The simplest method of determination

　　　　　　　　http: //xxx/news.asp id = xx '(attach a single quotation mark),?

　　 1. String parameter determination

　　　　Usually news.asp original SQL statement is as follows:

　　　　select * from table where field = 'xx', it is possible to test whether the presence of the following SQL injection step.

　　　　http: //xxx/news.asp id = xx '(attach a single quotation mark), this time news.asp SQL statements become?

　　　　select * from table where field = xx ', news.asp abnormal operation;

　　　　http: //xxx/news.asp id = xx and '1' = '1', news.asp operating normally,?

　　　　And the same with the operation result http://www.hackbase.com/news.asp?id=xx;

　　　　http: //xxx/news.asp id = xx and '1' = '2', news.asp abnormal operation;?

　　　　If the above is satisfied, news.asp SQL injection vulnerability, not vice versa injection

 

How to prevent sql injection

　　1.PreparedStatement

　　　　Using precompiled statement set, which built the ability to handle SQL injection, as long as the traditional method of using it setXXX value.

　　　　Use benefits:

　　　　　　(1). Readable and maintainable code.

　　　　　　(2) .PreparedStatement the maximum extent possible to improve performance.

　　　　　　(3) The most important point is greatly improved safety.

　　　　principle:

　　　　　　sql injection only prepared to sql statement (compiled) process has damaging effects, and PreparedStatement ready, but the execution phase input string as data processing,

　　　　Instead of sql statement parsing, preparation and, therefore, avoid the sql injection problems. 

　　2. Use a regular expression to filter incoming parameters

　　　　To introduce the package:

　　　　java.util.regex import. *;

　　　　Regular Expressions:

　　　　private String CHECKSQL = “^(.+)\\sand\\s(.+)|(.+)\\sor(.+)\\s$”;

　　　　Determine whether the match:

　　　　Pattern.matches(CHECKSQL,targerStr);

　　　　The following are specific regular expression:

　　　　Detection of SQL meta-characters in regular expressions:

　　　　/(\%27)|(\’)|(\-\-)|(\%23)|(#)/ix

　　　　Correction detection SQL meta-characters regular expression: / ((\% 3D) | (=)) [^ \ n] * ((\% 27) | (\ ') | (\ - \ -) ​​| (\ % 3B) | (:)) / i

　　　　Typical SQL injection attacks regular expression: / \ w * ((\% 27) | (\ ')) ((\% 6F) | o | (\% 4F)) ((\% 72) | r | (\% 52)) / ix

　　　　SQL injection detection, UNION keyword query regular expression: / ((\% 27) | (\ ')) union / ix (\% 27) | (\')

　　　　Detecting MS SQL Server SQL injection attacks regular expression:

　　　　/exec(\s|\+)+(s|x)p\w+/ix

　　　　and many more…..

 

　　3. String filter

　　　　A more common method:

　　　　(|| parameters can be added between the needs of your program)

　　　　public static boolean sql_inj(String str){

　　　　　　String inj_str = "'|and|exec|insert|select|delete|update|

　　　　　　count|*|%|chr|mid|master|truncate|char|declare|;|or|-|+|,";

　　　　　　String inj_stra[] = split(inj_str,"|");

　　　　　　for (int i=0 ; i < inj_stra.length ; i++ ){

　　　　　　　　if (str.indexOf(inj_stra[i])>=0){

　　　　　　　　　　return true;

　　　　　　　　}

　　　　　　}

　　　　return false;

　　　}

 

　　4.jsp call this function checks whether the packet function of an illegal character

　　　　Prevent SQL injection from URL:

　　　　sql_inj.java Code:

　　　　package sql_inj;

　　　　import java.net.*;

　　　　import java.io. *;

　　　　import java.sql.*;

　　　　import java.text.*;

　　　　import java.lang.String;

　　　　public class sql_inj{

　　　　　　public static boolean sql_inj(String str){

　　　　　　　　String inj_str = "'|and|exec|insert|select|delete|update|

　　　　　　　　count|*|%|chr|mid|master|truncate|char|declare|;|or|-|+|,";

　　　　　　　　// something here you can also add your own

　　　　　　　　String[] inj_stra=inj_str.split("\\|");

　　　　　　　　for (int i=0 ; i < inj_stra.length ; i++ ){

　　　　　　　　　　if (str.indexOf(inj_stra[i])>=0){

　　　　　　　　　　　　return true;

　　　　　　　　　　}

　　　　　　　　}

　　　　　　return false;

　　　　}

　　} 

　　5.JSP page judgment code:

　　　　Use javascript unsafe characters shield the client

　　　　Application: Check whether it contains' '', '\\', '/'

　　　　Parameters: string to check

　　　　Return Value: 0: 1: Not

　　　　The function name is

　　　　function check(a){

　　　　　　return 1;

　　　　　　fibdn = new Array (”‘” ,”\\”,”/”);

　　　　　　i=fibdn.length;

　　　　　　j=a.length;

　　　　　　for (ii = 0; i <i, ii ++)

　　　　　　　　{For (jj = 0; jj <j; jj ++)

　　　　　　　　　　{ temp1=a.charAt(jj);

　　　　　　　　　　temp2=fibdn[ii];

　　　　　　　　　　if (tem’; p1==temp2)

　　　　　　　　　　　　{ return 0; }

　　　　　　　　}

　　　　　　}

　　　　　　return 1;

　　　　}