Didi, didi, we’re off. Buckle up and put on your helmet

One: SQL prerequisite knowledge points

1) SQL statement, such as mysql 'select name from T_user where id = $id' 2) Web programs generally have 3 layers structure; Display layer, Business logic layer, data layer (as shown below)Copy the code

Two: Main methods of SQL injection attacks

1) guess the background database, improve permissions 2) bypass authenticationCopy the code

Three: SQL injection attack core

(Display layer) User dynamic input + (logical layer) Passed parameters without review => SQL attackCopy the code

Four: bypass authentication example

Generally, when we query the user’s personal information, we will use the ID to query, as follows

select * from user where id = $id

select * from user where username = 'user' and password =' 111 '

If we change the input ID to: id=1or1=1 or use string annotation, then the whole back end query statement becomes

select * from user where id= $id or 1=1

select * from user where username = $username -- and password = '111'

Even if you don’t have the correct user ID or password, you still get the user’s personal information and log in to the user account

Five: guess the background database example

For example, we have a query as follows

select * from user where student_id = '4'

Through union splicing query statement, we can obtain various database information, such as database version, database name, query all library names and so on

Select * from user where student_id = '4' union select 1,1,version(),1

Select * from user where student_id = '4' union select 1,1,database(),1

Through such continuous guess solution, analysis of database information, access to more user data and sensitive content

This is only the simplest SQL attack, and the real SQL injection attack is more complex, but the core point of the three SQL injection attacks is injection. For example, we guess the background database, is through continuous injection, access to all kinds of information (request method, coding language, database name, database coding method and so on), integrated all kinds of information and constant speculation, to obtain a variety of personal information.

Six: How to prevent

The code layer’s best defense against SQL injection attacks is SQL precompilation. Use precompilation, and parameters injected after that will not be SQL compiled. This means that the system will not assume that the parameter is an SQL statement, but that it is a parameter. The OR or and etc. in the parameter are not SQL reserved words.

Strictly check the incoming parameter type and length

Strictly control database permissions and handle SQL exception responses