Common Methods And Test Methods Of SQL Injection Attacks
This article mainly focuses on the meaning of SQL injection, how to perform SQL injection and how to prevent SQL injection so that friends have an understanding. The applicable people are mainly testers. Knowing how to perform SQL injection can help us test SQL attack vulnerabilities in modules such as login and release. As for how to prevent SQL injection, it should be something that development should understand~ but as a great Testing and figuring out whether the principle will allow us to understand the cause of the bug more thoroughly~ OK, let’s not say much, let’s get to the main topic~
How to understand SQL injection (attack)?
SQL injection is an attack technique in which SQL code is added to input parameters and passed to the server for analysis and execution.
A SQL injection attack is associated with an unfiltered input parameter, so directly spliced into the SQL statement for analysis, and therefore the execution reaches associate surprising behavior, which is termed a SQL injection attack.
How does SQL injection come about?
1) WEB developers cannot guarantee that all inputs have been filtered
2) The attacker uses the input parameters sent to the SQL server to construct possible SQL code (can be further to urge request, post request, HTTP header data, cookie)
3) The database has not done corresponding security configuration
How to perform SQL injection attacks?
Take PHP scripting language and MySQL database as examples to introduce the development techniques and construction strategies of SQL injection attacks
- Digital injection
Enter in the browser address bar: learn.me/sql/article.php?id=1, this is a get kind interface, causation this request is such as line of work a query statement:
$sql = “SELECT * FROM article WHERE id =”,$id
Under normal circumstances, an article with id=1 should be returned. Then, if you enter in the browser address bar: learn.me/sql/article.php?id=-1 OR 1 =1, this is an SQL injection attack, which may return information about all articles. Why is this so?
This is because id = -1 is always false, 1=1 is always true, all the entire where the statement is always true, so the where the condition is equivalent to nowhere condition is added, then the result of the query is equivalent to the content of the entire table
- String injection
There is such a user login scenario: the login interface includes user name and password input boxes, and a submit button. Enter the username and password and submit.
This is a post request. When logging in, the interface learn.me/sql/login.html is called. First, connect to the database, and then perform parameter verification on the user name and password carried in the post request parameters in the background, that is, the SQL query process. Assuming that the correct user name and password are user and pwd123, input the correct user name and password, and submit, which is equivalent to calling the following SQL statement:
SELECT * FROM user WHERE username = ‘user’ ADN password = ‘pwd123’
Since the user name and password are both character strings, the SQL injection method changes the data carried by the parameters into the character strings commented in MySQL. There are two annotation methods in MySQL:
1)’#’: All strings after’#’ will be treated as comments
User name input: user’# (single quotation mark closes the single quotation mark to the left of the user), enter the password at will, such as 111, and then click the submit button. Equivalent to SQL statement:
SELECT * FROM user WHERE username = ‘user’#’ADN password = ‘111’
After the’#’ is commented out, it is equivalent to:
SELECT * FROM user WHERE username = ‘user’
2)’– ‘(There is a space after –): The string after’–‘ will be treated as a comment
User name input: user’– (note–there is a space after the single quotation mark to close the single quotation mark to the left of the user), the password is free to enter, such as 111, and then click the submit button. Equivalent to SQL statement:
SELECT * FROM user WHERE username = ‘user’– ‘AND password = ‘111’
SELECT * FROM user WHERE username =’user’–‘AND password = ‘1111’
‘–‘ is commented out afterwards, which is equivalent to:
SELECT * FROM user WHERE username = ‘user’
Therefore, in the above two cases, it is possible to enter a wrong password or login to the account with the user name user without entering the password, which is very dangerous.
How to prevent SQL injection?
This is a question that developers should think about. As a tester, if you understand how to prevent SQL injection, you can locate the cause of the bug when an injection attack bug is discovered.
1) Strictly check the type and format of input variables
For integer parameters, add judgment conditions: it cannot be empty, and the parameter type must be a number
For string parameters, you can use regular expressions to filter: such as: must be a string in the range of [0-9a-zA-Z]
2) Filter and escape special characters
Escape before the username variable to escape special characters such as’, “, \, etc., for example, the addslashes() function in PHP escapes the username parameter
3) Use MySQL’s pre-compilation mechanism
Send the SQL statement template (variables use placeholders for placeholders) to the MySQL server, and the MySQL server compiles the SQL statement template. After the compilation, the corresponding index is optimized according to the optimization analysis of the statement, and when the parameters are finally bound The corresponding parameters are sent to the MySQL server for direct execution, which saves SQL query time and resources of the MySQL server, achieving the purpose of one-time compilation and multiple executions. In addition, it can also prevent SQL injection. How to prevent SQL injection? In fact, when the bound parameters are passed to the MySQL server, the MySQL server compiles the parameters, that is, in the process of filling them into the corresponding placeholders, they do an escape operation.
Watch It for more Information