Scribd Logo
Carica

Benvenuto in Scribd!

  • SQL Injection

    Caricato da

    Nyasha Dombas Sadomba
    54 visualizzazioni10 pagine
    sql reading material

    Copyright

    © © All Rights Reserved

    Formati disponibili

    PDF, TXT o leggi online da Scribd

    Hai trovato utile questo documento?

    Questo contenuto è inappropriato?

    Segnala questo documento
    sql reading material

    Copyright:

    © All Rights Reserved
    Scarica in formato PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    54 visualizzazioni10 pagine

    SQL Injection

    Caricato da

    Nyasha Dombas Sadomba
    sql reading material

    Copyright:

    © All Rights Reserved
    Scarica in formato PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    di 10

    

    64/,QMHFWLRQ

    7+(:25/'
    6/$5*(67:(%'(9(/23(56,7(

    64/

    64/,QMHFWLRQ
    Previous

    NextChapter

    AnSQLInjectioncandestroyyourdatabase.

    64/LQ:HE3DJHV
    Inthepreviouschapters,youhavelearnedtoretrieve(andupdate)databasedata,
    usingSQL.
    WhenSQLisusedtodisplaydataonawebpage,itiscommontoletwebusersinput
    theirownsearchvalues.
    SinceSQLstatementsaretextonly,itiseasy,withalittlepieceofcomputercode,to
    dynamicallychangeSQLstatementstoprovidetheuserwithselecteddata:

    6HUYHU&RGH
     
       

    Theexampleabove,createsaselectstatementbyaddingavariable(txtUserId)toa
    selectstring.Thevariableisfetchedfromtheuserinput(Request)tothepage.
    KWWSZZZZVFKRROVFRPVTOVTOBLQMHFWLRQDVS

    

    

    64/,QMHFWLRQ

    TherestofthischapterdescribesthepotentialdangersofusinguserinputinSQL
    statements.

    64/,QMHFWLRQ
    SQLinjectionisatechniquewheremalicioususerscaninjectSQLcommandsintoan
    SQLstatement,viawebpageinput.
    InjectedSQLcommandscanalterSQLstatementandcompromisethesecurityofaweb
    application.

    64/,QMHFWLRQ%DVHGRQ LV$OZD\V7UXH
    Lookattheexampleabove,onemoretime.
    Let'ssaythattheoriginalpurposeofthecodewastocreateanSQLstatementtoselect
    auserwithagivenuserid.
    Ifthereisnothingtopreventauserfromentering"wrong"input,theusercanenter
    some"smart"inputlikethis:
    UserId:
    105or1=1

    6HUYHU5HVXOW
       

    TheSQLaboveisvalid.ItwillreturnallrowsfromthetableUsers,sinceWHERE1=1
    isalwaystrue.
    Doestheexampleaboveseemdangerous?WhatiftheUserstablecontainsnamesand
    passwords?
    TheSQLstatementaboveismuchthesameasthis:

    KWWSZZZZVFKRROVFRPVTOVTOBLQMHFWLRQDVS

    

    

    64/,QMHFWLRQ

        

    Asmarthackermightgetaccesstoalltheusernamesandpasswordsinadatabaseby
    simplyinserting105or1=1intotheinputbox.

    64/,QMHFWLRQ%DVHGRQ LV$OZD\V7UXH
    Hereisacommonconstruction,usedtoverifyuserlogintoawebsite:
    UserName:

    Password:

    6HUYHU&RGH
    
    
      
    

    Asmarthackermightgetaccesstousernamesandpasswordsinadatabasebysimply
    inserting"or""="intotheusernameorpasswordtextbox.
    ThecodeattheserverwillcreateavalidSQLstatementlikethis:

    5HVXOW
      

    TheresultSQLisvalid.ItwillreturnallrowsfromthetableUsers,sinceWHERE""=""
    KWWSZZZZVFKRROVFRPVTOVTOBLQMHFWLRQDVS

    

    

    64/,QMHFWLRQ

    isalwaystrue.

    64/,QMHFWLRQ%DVHGRQ%DWFKHG64/6WDWHPHQWV
    MostdatabasessupportbatchedSQLstatement,separatedbysemicolon.

    ([DPSOH
     

    TheSQLabovewillreturnallrowsintheUserstable,andthendeletethetablecalled
    Suppliers.
    Ifwehadthefollowingservercode:

    6HUYHU&RGH
     
       

    Andthefollowinginput:
    Userid:
    105DROPTABLESuppliers
    ThecodeattheserverwouldcreateavalidSQLstatementlikethis:

    5HVXOW
       

    KWWSZZZZVFKRROVFRPVTOVTOBLQMHFWLRQDVS

    

    

    64/,QMHFWLRQ

    3DUDPHWHUVIRU3URWHFWLRQ
    Somewebdevelopersusea"blacklist"ofwordsorcharacterstosearchforinSQLinput,
    topreventSQLinjectionattacks.
    Thisisnotaverygoodidea.Manyofthesewords(likedeleteordrop)andcharacters
    (likesemicolonsandquotationmarks),areusedincommonlanguage,andshouldbe
    allowedinmanytypesofinput.
    (InfactitshouldbeperfectlylegaltoinputanSQLstatementinadatabasefield.)
    TheonlyprovenwaytoprotectawebsitefromSQLinjectionattacks,istouseSQL
    parameters.
    SQLparametersarevaluesthatareaddedtoanSQLqueryatexecutiontime,ina
    controlledmanner.

    $631(75D]RU([DPSOH
     
       
    

    NotethatparametersarerepresentedintheSQLstatementbya@marker.
    TheSQLenginecheckseachparametertoensurethatitiscorrectforitscolumnand
    aretreatedliterally,andnotaspartoftheSQLtobeexecuted.

    $QRWKHU([DPSOH
    
    
    
      
    
    

    KWWSZZZZVFKRROVFRPVTOVTOBLQMHFWLRQDVS

    

    

    64/,QMHFWLRQ

    YouhavejustlearnedtoavoidSQLinjection.Oneofthetopwebsite
    vulnerabilities.

    ([DPSOHV
    Thefollowingexamplesshowshowtobuildparameterizedqueriesinsomecommonweb
    languages.
    SELECTSTATEMENTINASP.NET:

     
       
    
     
    

    INSERTINTOSTATEMENTINASP.NET:

    
    
    
      
    
    
    
    
    
    

    INSERTINTOSTATEMENTINPHP:

      
    
    KWWSZZZZVFKRROVFRPVTOVTOBLQMHFWLRQDVS

    

    

    64/,QMHFWLRQ

    
    
    
    

    Previous

    NextChapter

    :6&+22/6(;$06
    KWWSZZZZVFKRROVFRPVTOVTOBLQMHFWLRQDVS

    

    

    64/,QMHFWLRQ

    HTML,CSS,JavaScript,PHP,jQuery,andXMLCertifications

    &2/253,&.(5

    6+$5(7+,63$*(

    KWWSZZZZVFKRROVFRPVTOVTOBLQMHFWLRQDVS

    

    

    64/,QMHFWLRQ

    REPORTERROR
    PRINTPAGE
    FORUM
    ABOUT

    7RS7XWRULDOV
    HTMLTutorial
    CSSTutorial
    JavaScriptTutorial
    SQLTutorial
    PHPTutorial
    jQueryTutorial
    BootstrapTutorial
    AngularTutorial
    ASP.NETTutorial
    XMLTutorial

    7RS5HIHUHQFHV
    HTMLReference
    CSSReference
    JavaScriptReference
    BrowserStatistics
    HTMLDOM
    PHPReference
    jQueryReference
    HTMLColors
    HTMLCharacterSets
    XMLReference

    7RS([DPSOHV
    HTMLExamples
    CSSExamples
    JavaScriptExamples
    HTMLDOMExamples
    PHPExamples
    jQueryExamples
    XMLExamples
    ASPExamples
    SVGExamples

    :HE&HUWLILFDWHV
    HTMLCertificate
    KWWSZZZZVFKRROVFRPVTOVTOBLQMHFWLRQDVS

    

    

    64/,QMHFWLRQ

    HTML5Certificate
    CSSCertificate
    JavaScriptCertificate
    jQueryCertificate
    PHPCertificate
    BootstrapCertificate
    XMLCertificate

    W3Schoolsisoptimizedforlearning,testing,andtraining.Examplesmightbesimplifiedtoimprovereading
    andbasicunderstanding.Tutorials,references,andexamplesareconstantlyreviewedtoavoiderrors,butwe
    cannotwarrantfullcorrectnessofallcontent.Whileusingthissite,youagreetohavereadandacceptedour
    termsofuse,cookieandprivacypolicy.Copyright19992015byRefsnesData.AllRightsReserved.

    KWWSZZZZVFKRROVFRPVTOVTOBLQMHFWLRQDVS

    

    Potrebbero piacerti anche