SQL Injection Attack

Avoid SQL Injection

What is SQL Injection

SQL injection attacks (SQL Injection), referred to as injection attacks, Web development is the most common form of security vulnerabilities. You can use it to obtain sensitive information from the database, or use database features add a user to perform export documents and a series of malicious actions, there may even get a database system users and even the highest authority.
The cause of SQL injection because the program does not effectively filter user input could allow an attacker who successfully submit malicious SQL query code to the server, the program will enter after receiving the wrong attacker executed as part of the query, resulting in the original query logic is changed, additional execution of the attacker crafted malicious code.

Examples of SQL injection

Many Web developers do not realize how SQL queries can be tampered with, so that an SQL query is a trusted command. As everyone knows, SQL queries can circumvent access controls, thereby bypassing standard authentication and authorization checks. What is more, it is possible to run a query to the host system level commands through SQL.

The following will be through some real-life examples to explain in detail the SQL injection method.

Consider the following simple login form:

<form action="/login" method="POST">
<p>Username: <input type="text" name="username" /></p>
<p>Password: <input type="password" name="password" /></p>
<p><input type="submit" "Login"=value /></p>
</form>

Our SQL processing inside might look like this:

1
2
3

username:=r.Form.Get("username")
password:=r.Form.Get("password")
sql:="SELECT * FROM user WHERE username='"+username+"' AND password='"+password+"'"

If you enter a user name as follows, any password

1	myuser' or 'foo' = 'foo' --

Then our SQL becomes as follows:

1	SELECT * FROM user WHERE username='myuser' or 'foo' = 'foo' --'' AND password='xxx'

In SQL inside -- large column SQL Injection Attack is a comment tag, so the query will interrupt. This allows the attacker does not know any valid user name and a password to successfully log in.

For MSSQL There are far more dangerous type of SQL injection, it is the control system, the following frightening example will demonstrate how to execute system commands on some versions of MSSQL database.

1 2	sql:="SELECT * FROM products WHERE name LIKE '%"+prod+"%'" Db.Exec(sql)

If attacker submits the a%' exec master..xp_cmdshell 'net user test testpass /ADD' --value as a variable prod, then the sql will become

1	sql:="SELECT * FROM products WHERE name LIKE '%a%' exec master..xp_cmdshell 'net user test testpass /ADD'--%'"

MSSQL Server executes the SQL statements in the batch including the command for adding new users to the system. If this program is run sa and the MSSQLSERVER service sufficient privileges, the attacker could get a system account to access this machine.

While the examples above is tied to a specific database system, but this does not mean that a similar attack is not against other database systems. In view of this security hole, as long as the use of different methods, various databases are likely to suffer.

How to prevent SQL Injection

You might say the attacker to know the information in order to implement the database structure of SQL injection attacks. True, but no one can guarantee the attacker must get this information, once they got the database there is a risk of leakage. If you use open-source software package to access the database, such as the Forum program, the attacker can easily obtain the relevant code. If the code is poorly designed, then the risk is even greater. Currently Discuz, phpwind, phpcms these and other popular open source programs have been precedents SQL injection attacks.

These attacks always occur in low security code. So, never trust data input from the outside, especially from the user's data, including the selection box, hidden form field and cookie. As the first example above, even if it is normal queries may also cause a disaster.

SQL injection attacks so much harm, then how to combat it? Here are recommendations for prevention of SQL injection may be helpful.

Web application strictly limited authority to operate the database, to provide the user only able to meet their minimum rights work, which minimize harm to the database injection attack.
Check whether the input data having a desired data format, restricted type of variable, for example, some packets regexp matching processing, or it strconv packet string is converted into other basic types of data is determined.
Special characters entered in the database ( '' angle brackets & *; like) escaping, or the encoding conversion .Go text/templateinside the package HTMLEscapeStringfunction strings may be escaped.
All queries recommend using parameterized query interface provided by the database, parameterized statements use parameters instead of embedding user input variables to the SQL statements that do not directly spliced SQL statements. For example, database/sqlinside the query functions Prepareand Queryor Exec(query string, args ...interface{}).
Before publishing applications recommended for professional SQL injection detection tools for testing, and when the repair was found SQL injection vulnerability. There are many online open source tool in this regard, for example sqlmap , SQLninja and so on.
Avoid sites print out SQL error information, such as the type of error, such as fields do not match, the code in the SQL statement exposed, in order to prevent an attacker using these error messages SQL injection.

to sum up

By the above example we can see, SQL injection is harmful rather large security hole. So we usually write for the Web application, it should be for every little detail very seriously, details decide the fate, life is so, writing Web applications as well.