What is SQL Injection What are the characteristics and harms of SQL injection?

1. Extensiveness: Any database based on SQL language may be attacked, and many developers do not conduct normative verification and detection of the values received from input parameters, web forms, cookies, etc. when writing web applications, and SQL injection vulnerabilities usually occur.

2. Concealment: SQL injection statements are generally embedded in ordinary HTPP requests, which are difficult to distinguish from normal statements, so many current firewalls cannot recognize and warn, and there are many variants of SQL injection, and attackers can adjust the parameters of the attack, so the effect of using traditional methods to defend against SQL injection is very unsatisfactory.

3. Great harm: The attacker can obtain the database name, table name, and field name of the server through SQL injection, so as to obtain the data in the entire server, which has a great threat to the data security of the user. An attacker can also obtain the password of the backend administrator through the obtained data, and then maliciously tamper with the web page.

This not only poses a serious threat to the security of database information, but also has a great impact on the security of the entire database system.

4. Easy to operate: There are many SQL injection tools on the Internet, which are easy to learn and the attack process is simple, and can be used freely without professional knowledge.

Key features of SQL injection attacks:

1. There are many variants.

Experienced attackers will manually adjust the parameters of the attack, so that the attack data is not enumerable, which leads to the traditional feature matching method to identify only a very small number of attacks. Or the most conventional attacks, which are difficult to prevent.

2. Simple attack.

The attack process is simple, and there are many popular SQL injection attack tools on the Internet, with the help of which attackers can quickly attack or destroy the target, which is very harmful.

3. Extremely harmful.

Due to the shortcomings of the web language itself and the small number of developers with secure programming, most web application systems have the possibility of being attacked by SQL injection, and once the attacker succeeds in the attack, he can make any modifications to the data of the entire web application system or steal it, and the destructive power has reached the extreme.

Harm of SQL injection attacks.

1. Manipulate the data in the database without authorization.

2. Maliciously tampering with the content of the web page After logging in to the background, you can also publish updates to the homepage, at this time, the update may be some illegal information, and you can also add an account or a database account to the system. This requires a web shell or higher privilege.

3. Add the system account or database user account without permission.

4. Web Trojan After getting the web shell or obtaining the permission of the server, we will hang some web Trojans on the server to attack others. Even in serious cases, we can control the entire web server, which is very dangerous.

A SQL injection attack is an attack that takes advantage of a programmer's low-level error in operating the database during development.

The main way to do this is to use concatenated strings to achieve some operations.

However, the attack of file demolition is obviously outdated, especially after the introduction of LINQ, which has officially withdrawn from the stage of history.

SQL injection is an injection attack, which is caused by incorrectly executing the data as part of the data when reading the data without isolating ** from the data in the project.

How Do I Handle SQL Injection? Three aspects:

1. Filter the special characters in the user's input parameters to reduce the risk;

2. It is forbidden to concatenate SQL statements through strings, and strictly use parameter bindings to pass in parameters;

3. Reasonable use of the mechanism provided by the database framework.

With the development of BS mode application development, more and more programmers are writing applications using this mode. However, due to the uneven level and experience of programmers, a considerable number of programmers do not judge the legitimacy of user input data when writing **, which makes the application have security risks. The user can submit a database query **, root.

According to the results returned by the program, he gets some data that he wants to know, which is called SQL injection, that is, SQL injection.

SQL injection is accessed from the normal www port, and it looks no different from the general web page access, so the current firewall on the market will not send an alarm for SQL injection, if the administrator does not have the habit of viewing IIS logs, it may be invaded for a long time will not be noticed. However, the method of SQL injection is quite flexible, and there are many unexpected situations when injecting. Can you analyze the specific situation and construct clever SQL statements to successfully obtain the desired data?

According to statistics, more than 70% use ASP+Access or SQLSer, PHP+Mysq accounts for L20%, and the others are less than 10%.

The so-called SQL injection is to insert SQL commands into the web form to submit or enter the query string of domain names or page requests, and finally deceive the server to execute malicious SQL commands. Specifically, it is the ability to leverage existing applications and inject (malicious) SQL commands into the backend database engine for execution, which can be entered in a web form.