SQL injection attacks SQL injection user input SQL injection SQL Command parameters Database account. SQL injection attacks Data Code

Transcription

1 SQL Injection Attack SQL injection attacks SQL injection user input SQL injection SQL Command parameters Database account Login page application database over-privileged account database Attacker SQL injection database commands SQL injection attacks Data Code - User - parameters SQL statements - Over-privileged database login SQL Injection User SSN text box String ' ; DROP DATABASE pubs -- Dynamic

2 // Use dynamic SQL SqlDataAdapter mycommand = new SqlDataAdapter( "SELECT au_lname, au_fname FROM authors WHERE au_id = '" + SSN.Text + "'", myconnection); // Use stored procedures SqlDataAdapter mycommand = new SqlDataAdapter( "LoginStoredProcedure '" + SSN.Text + "'", myconnection); Code D user SELECT au_lname, au_fname FROM authors WHERE au_id = ' ' user SELECT au_lname, au_fname FROM authors WHERE au_id = ''; DROP DATABASE pubs --' current SELECT au_lname, au_fname FROM authors WHERE au_id = ' ' ; (semicolon) ; DROP DATABASE pubs SQL statements SELECT * FROM MyTable DELETE FROM MyTable

3 -- (double dash) SQL comment SQL SQL parser error single quotation mark ) --' SQL injection attacks - - Input data type, length, format range - Data access SQL parameters SQL paramenters stored procedures ( ) SQL command strings d o SQLParameterCollection Parameter collections type Length validation parameters collection input SQL Server excutable code parameter collection type length Values outside of the range trigger an exception. - Database permissions account database stored procedures permissions table - Database Error Information database error error user SSL (Secure Socket Layer) IP Security SQL injection - ၁ input - ၂ stored procedures parameters - ၃ dynamic SQL parameters

4 ၁ input ASP.NET application type length format range input data access queries input SQL injection input characters characters regular expressions validation character characters ASP.NET web page input ASP.NET web page server side code client-side validation server to client round trip user experience client-side validation client to server Server controls input RegularExpressionValidator RangeValidator ASP.NET validator controls HTML input controls input server-side code Regex class code ASP.NET TextBox control SSN Textbox Value Value RegularExpressionValidator Value language="c#" %> <form id="form1" runat="server"> <asp:textbox ID="SSN" runat="server"/> <asp:regularexpressionvalidator ID="regexpSSN" runat="server" ErrorMessage="Incorrect SSN Number" ControlToValidate="SSN" ValidationExpression="^\d3-\d2-\d4$" /> </form> HTML control using System.Text.RegularExpressions; if (Regex.IsMatch(Request.Cookies["SSN"], "^\d3-\d2-\d4$")) // access the database else

5 // handle the bad input - ၂ Untrusted Clients Library code data Regular using System; using System.Text.RegularExpressions; public void CreateNewUserAccount(string name, string password) // Check name contains only lower case or upper case letters, // the apostrophe, a dot, or white space. Also check it is // between 1 and 40 characters long if throw new FormatException("Invalid name format"); // Check password contains at least one digit, one lower case // letter, one uppercase letter, and is between 8 and 10 // characters long if )) throw new FormatException("Invalid password format"); // Perform data access logic (using type safe parameters)... ၂ Stored procedures

6 using System.Data; using System.Data.SqlClient; using (SqlConnection connection = new SqlConnection(connectionString)) DataSet userdataset = new DataSet(); SqlDataAdapter mycommand = new SqlDataAdapter( "LoginStoredProcedure", connection); mycommand.selectcommand.commandtype = CommandType.StoredProcedure; mycommand.selectcommand.parameters.add("@au_id", SqlDbType.VarChar, 11); mycommand.selectcommand.parameters["@au_id"].value = SSN.Text; mycommand.fill(userdataset); ၁၁ ) Parameter CREATE PROCEDURE ntext AS exec GO DROP TABLE ORDERS; stored code a stored pr

7 ၃ code dynamic SQL using System.Data; using System.Data.SqlClient; using (SqlConnection connection = new SqlConnection(connectionString)) DataSet userdataset = new DataSet(); SqlDataAdapter mydataadapter = new SqlDataAdapter( "SELECT au_lname, au_fname FROM Authors WHERE au_id connection); mycommand.selectcommand.parameters.add("@au_id", SqlDbType.VarChar, 11); mycommand.selectcommand.parameters["@au_id"].value = SSN.Text; mydataadapter.fill(userdataset); SQL statement parameter using System.Data; using System.Data.SqlClient;... using (SqlConnection connection = new SqlConnection(connectionString)) SqlDataAdapter dataadapter = new SqlDataAdapter( "SELECT CustomerID INTO #Temp1 FROM Customers " + "WHERE CustomerID SELECT CompanyName FROM Customers " + "WHERE Country and CustomerID IN " + "(SELECT CustomerID FROM #Temp1);", connection); SqlParameter custidparm = dataadapter.selectcommand.parameters.add( "@custidparm", SqlDbType.NChar, 5); custidparm.value = customerid.text; SqlParameter countryparm = dataadapter.selectcommand.parameters.add( "@countryparm", SqlDbType.NVarChar, 15); countryparm.value = country.text; connection.open(); DataSet dataset = new DataSet(); dataadapter.fill(dataset);... SQL injection -

8 - - threat private string SafeSqlLiteral(string inputsql) return inputsql.replace("'", "''"); A Least- ASP. ၁ ၂ ၃

9 tab comprom malici Reference :