Professional Documents
Culture Documents
SQL Injection ကာကြယ္ရန္နည္းလမ္းမ်ား
SQL Injection ကာကြယ္ရန္နည္းလမ္းမ်ား
SQL Injection ကာကြယ္ရန္နည္းလမ္းမ်ား
database commands
Login page SQL injection
application database over-privileged account
’ database
Attacker
- User
- parameters SQL statements
- Over-privileged database login
SQL Injection
Dynamic
// Use dynamic SQL
SqlDataAdapter myCommand = new SqlDataAdapter(
"SELECT au_lname, au_fname FROM authors WHERE au_id = '" +
SSN.Text + "'", myConnection);
Code user
D
user
SELECT au_lname, au_fname FROM authors WHERE au_id = ''; DROP DATABASE pubs --'
current
; (semicolon)
SQL statements
--'
SQL injection
- ၁ input
- ၂ stored procedures parameters
- ၃ dynamic SQL parameters
၁ input
input characters
characters characters
regular expressions validation character
HTML control
using System.Text.RegularExpressions;
if (Regex.IsMatch(Request.Cookies["SSN"], "^\d{3}-\d{2}-\d{4}$"))
{
// access the database
}
else
{
// handle the bad input
}
-
၂
Untrusted Clients
Library code
data
Regular
using System;
using System.Text.RegularExpressions;
Stored procedures
using System.Data;
using System.Data.SqlClient;
myCommand.Fill(userDataset);
}
၁၁ )
Parameter
stored
DROP TABLE ORDERS; code
a stored pr
၃
using System.Data;
using System.Data.SqlClient;
using System.Data;
using System.Data.SqlClient;
. . .
using (SqlConnection connection = new SqlConnection(connectionString))
{
SqlDataAdapter dataAdapter = new SqlDataAdapter(
"SELECT CustomerID INTO #Temp1 FROM Customers " +
"WHERE CustomerID > @custIDParm; SELECT CompanyName FROM Customers " +
"WHERE Country = @countryParm and CustomerID IN " +
"(SELECT CustomerID FROM #Temp1);",
connection);
SqlParameter custIDParm = dataAdapter.SelectCommand.Parameters.Add(
"@custIDParm", SqlDbType.NChar, 5);
custIDParm.Value = customerID.Text;
connection.Open();
DataSet dataSet = new DataSet();
dataAdapter.Fill(dataSet);
}
. . .
SQL injection
-
-
-
threat
A Least-
ASP.
၃
tab
comprom
malici
Reference : http://msdn.microsoft.com/