ASP. NET Method for Preventing SQL Injection Attack

1. What is an SQL injection attack?

An SQL injection attack involves an attacker inserting an SQL command into the input field of an Web form or the query string of a page request, tricking the server into executing a malicious SQL command. Forms where user input is used directly to construct (or influence) dynamic SQL commands or as input parameters to stored procedures are particularly vulnerable to SQL injection attacks. Common SQL injection attack process classes are:

An ASP. NET Web application has a login page, which controls whether the user has access to the application. It requires the user to enter a name and password.

The contents entered in the login page will be used directly to construct the dynamic SQL command or directly as parameters of the stored procedure. Here is an example of an ASP. NET application construction query:

 　 System.Text.StringBuilder query = new System.Text.StringBuilder( 
  　  　  "SELECT * from Users WHERE login = '") 
  　  　  .Append(txtLogin.Text).Append("' AND password='") 
  　  　  .Append(txtPassword.Text).Append("'"); 

(3) The attacker enters something like "'or' 1 '=' 1" in the user name and password input box.

(4) After the user input is submitted to the server, the server runs the above ASP. NET code to construct the SQL command to query the user. However, due to the special content entered by the attacker, the final SQL command becomes: SELECT * from Users WHERE login = ''or '1' = '1' AND password ='' or '1' = '1'.

5. The server executes queries or stored procedures to compare the identity information entered by users with the identity information stored in the server.

Since the SQL command has actually been modified by an injection attack, it can no longer really authenticate the user's identity, so the system will mistakenly authorize the attacker.

If an attacker knows that the application will use the contents entered in the form directly for the authentication query, he will try to enter some special SQL string to tamper with the query to change its original function and trick the system into granting access rights.

Different system environment, the attacker may cause different damage, which is mainly determined by the security authority of the application to access the database. If a user's account has administrator or other advanced privileges, an attacker can perform all kinds of desired actions on tables in the database, including adding, deleting, or updating data, or even directly deleting tables.

2. How to prevent it?

Fortunately, it is not particularly difficult to prevent ASP. NET applications from being intruded by SQL injection attacks. Just filter all the input contents once before constructing SQL commands with the input contents of the form. Filtering input can be done in many ways.

For dynamic construction of SQL queries, the following techniques can be used:

Number 1: Replace single quotation marks, that is, change all single quotation marks that appear separately into two single quotation marks to prevent attackers from modifying the meaning of SQL commands. Looking back at the previous example, "SELECT * from Users WHERE login = '''or' '1' ='' 1 'AND password = ''' or '' 1 '='' 1'" will obviously get a different result from "SELECT * from Users WHERE login = ''AND password ='' or '1' = '1'".

2: Delete all hyphens in user input to prevent attackers from constructing queries such as "SELECT * from Users WHERE login = 'mas'--AND password = ''", because the second half of such queries has been commented out and is no longer valid. Attackers only need to know a legitimate user login name, and they don't need to know the user's password at all to gain access rights smoothly.

3: Restrict the permissions of the database account used to execute the query. Perform query, insert, update and delete operations with different user accounts. By isolating the operations that can be performed by different accounts, it prevents the place used for executing SELECT commands from being used for executing INSERT, UPDATE, or DELETE commands.

⑵ Use stored procedures to execute all queries.

The SQL parameter is passed in a way that prevents an attacker from exploiting single quotation marks and hyphens. In addition, it allows database permissions to be restricted to only specific stored procedures, and all user input must comply with the security context of the invoked stored procedure, thus making it difficult for injection attacks to occur again. 　　

Limit the length of form or query string input.

If the user's login name is only 10 characters at most, don't approve of more than 10 characters entered in the form, which will greatly increase the difficulty for attackers to insert harmful code into SQL commands.

(4) Check the legality of user input, and make sure that the input content only contains legal data.

Data checking should be performed on both the client and server sides-server-side validation is performed to compensate for the weak security of the client-side validation mechanism.

On the client side, it is entirely possible for an attacker to obtain the source code of the web page, modify the script to verify the validity (or delete the script directly), and then submit the illegal content to the server through the modified form. Therefore, the only way to ensure that the validation operation has actually been performed is to perform the validation on the server side as well. You can use many built-in validation objects, such as RegularExpressionValidator, which automatically generate client-side scripts for validation, or you can insert server-side method calls. If you can't find a ready-made authentication object, you can create one yourself through CustomValidator. 　　

5. Encrypt and save the user login name, password and other data.

Encrypting the data entered by the user and then comparing it with the data stored in the database is equivalent to "sterilizing" the data entered by the user, and the data entered by the user no longer has any special significance to the database, thus preventing attackers from injecting SQL commands. System. Web. Security. FormsAuthentication has one HashPasswordForStoringInConfigFile, which is very suitable for sterilizing input data. 　　

Check the number of records returned by the query that extracted the data.

If the program requires only one record to be returned, but the actual record returned exceeds one line, it will be treated as an error.

The above is the method of ASP. NET to prevent SQL injection attack, hoping to help everyone's study.