Analysis of JSP against SQL injection attack


General idea of SQL injection attack:
Find the SQL injection location;
Judge the server type and background database type;
Determination of enforceability
For some attackers, SQL injection is generally adopted. Next, I also talk about my feelings about SQL injection.
Injection method:
Theoretically, there will be types in the authentication web page, such as:
For the select * from admin where username =’xxx ‘and password =’yyy’ statement, it is easy to implement SQL injection if the necessary character filtering is not carried out before the formal operation of this sentence.
If you enter: ABC ‘or 1 = 1 in the user name text box — enter: 123 in the password box, the SQL statement will become:
Select * from admin where username =’abc ‘or 1 = 1 and password =’123’ no matter what username and password the user enters, this statement can always be executed correctly. The user can easily deceive the system and obtain legal identity.
Guess solution:
The basic idea is: guess all database names, guess each table name in the delivery, analyze the table name that may store user names and passwords, guess each field name in the table, and guess the contents of each record in the table.
There is another way to get your database name and the name of each table.
It is through the following forms: http://www. . CN / news? Id = 10 ‘to get your database name and table name through error reporting!
For JSP, we generally adopt the following strategies:
If you are already a slightly advanced developer, you should always replace statement with Preparedstatement
Here are some reasons
1. Readability and maintainability of code
2. Preparedstatement maximizes performance
3. The most important point is to greatly improve the security
So far, some people (including myself) don’t even know the basic evil SQL syntax
String sql = “select * from tb_name where name= ‘”+varname+”‘ and passwd='”+varpasswd+”‘”;
If we pass in [‘or’ 1 ‘=’ 1] as name, the password is optional. What will it be? Network management network
select * from tb_ Name = ‘or’ 1 ‘=’1’ and passwd = ‘optional’;
Because ‘1’ = ‘1’ is definitely true, it can pass any verification. What’s more:
Put [‘; drop table tb_ name; ] If it is passed in as varpasswd:
select * from tb_ Name = ‘random’ and passwd = ”; drop table tb_ name; Some databases won’t let you succeed, but there are many databases that can execute these statements
If you use precompiled statements, any content you pass in will not match the original statements. (the premise is that the database itself supports precompiling, but there may be no server-side databases that do not support compilation. There are only a few desktop databases that directly access files. As long as you use precompiled statements, You don’t have to worry about the incoming data. If you use an ordinary statement, you may have to drop,; Wait to make painstaking judgment and over – worry
2. Regular expression
2.1. Detect the regular expression / (\% 27) | (\ ‘) | (\ – \ -) | (\% 23) | (#) / IX of SQL meta characters
2.2. Correct the regular expression of SQL meta characters / (\% 3D) | (=) [^ \ n] * (\% 27) | (\ ‘| (\ – \ -)| (\% 3b) | (:) / I
2.3 regular expressions of typical SQL injection attacks / \ w * ((\% 27) | (\ ‘) ((\% 6F) | o| (\% 4F)) ((\% 72) | (www.bitscn. Com% 52)) / IX
2.4. Detect SQL injection. Regular expression of union query keyword / (\% 27) | (\ ‘) union / IX (\% 27) | (\’) – single quotation mark and its hex equivalent Union – Union keyword.
2.5. Detect the regular expression / exec (\ s| \ +) + (s|x) P \ W + / IX of MS SQL Server SQL injection attack
3. String filtering
public static String filterContent(String content){
String flt =”‘|and|exec|insert|select|delete|update|count|*|%
|chr|mid|master|truncate|char|declare|; |or|-|+|,”;
Stringfilter[] = flt.split(“|”);
for(int i=0; i {
content.replace(filter[i], “”);
return content;
4. Unsafe character masking
This part uses JS to shield, which plays a small role. Although this method of shielding keywords plays a certain role, in practical application, these SQL keywords may also become real query keywords. When you shield them, the user can’t use them normally. Just work on the code specification.
If there are variables in the executed SQL, you can use the prepared statement provided by JDBC (or other data persistence layer), and remember not to use the method of splicing strings
Function Description: check whether it contains “‘”, “\ \”, “/”
Parameter Description: string to check
Return value: 0: Yes 1: no
The function name is

Copy codeThe code is as follows:
function check(a)
return 1;
fibdn = new Array (“‘” ,”\\”,”/”);
for (ii=0; ii { for (jj=0; jj
{ temp1=a.charAt(jj);
if (tem’; p1==temp2)
{ return 0; }
return 1;

Recommended Today

Implementation example of go operation etcd

etcdIt is an open-source, distributed key value pair data storage system, which provides shared configuration, service registration and discovery. This paper mainly introduces the installation and use of etcd. Etcdetcd introduction etcdIt is an open source and highly available distributed key value storage system developed with go language, which can be used to configure sharing […]