First, a doubtable filtering method
A typical example is whether all input variables are removed regardless of the input variables, or the single quotation is replaced with two single quotes, for example:
ID = Replace (Request.QueryString ("ID"), "'", "")
Str = Replace (Request ("SomeInput"), "'", "' '")
It's very clear now, the first practice is likely to be wrong. Because the SQL Injection is not always single, then expands, the problem is not a separate symbol, which is filtered so, some are single quotes. The correct use of injection is the important point is to close a SQL query statement - often get the front condition first conditions, because we may introduce new conditions in the same sentence, the remedial measures should be Yes, but considering its complexity (which will be said below), it is best to limit the type of characters entered.
The second seems to have no problem, but potential will bring some hidden dangers. This is easy to give an illusion that I have done it to the input string has been handled, and there is no problem in the future. This sentence is not wrong, it is also very correct to the string, but he played a non-exciting role. Imagine that if the filtered string is put into the database, and the subsequent statement is directly Used, this is not correct for the previously filtered dependence?
Perhaps a better approach should be that the criterion of the filtered criteria is determined for specific situations.
There are three common input variables: numbers, strings, also have a collection. For digital input variables, simply call the judgment function, in the code, anything is checked, almost correct. For a string type, it is basically inserted into the generated SQL statement, there is a single quotem, if only from the destroying injection condition, the single quotation number is not large. In the same way, if it is a collection of strings, it is also possible to simply use this method. And if it is a collection of numbers, the situation may be slightly troublesome, at least you have to allow numbers, a comma may have a symbolic symbols such as spaces that appear normally in the input, so that the filtering rules of this may be complex, but you can learn from DVBBS6. 1 After the version of the patch, in general, for filtration that has been discovered
Vulnerability is still good for them.
For the second sentence, at least can't say it wrong now, we leave later resolution.
Second, the acquired data is trusted?
In fact, such a scope is a bit big, and when a sudden involves many aspects, an example is an example to be optimistic.
The first is the problem of selecting filtering data. All along, we think that all users entered, they have to process appropriately. That's right, but if true is it? Just find a tool for capture, such as Ethereal, look at you
What I have submitted when I submit a form or when it is open. Or, simple, open Netant Edit a task, in the protocol tab, look at the "Custom Submit" and "User Agent" option.
I think you already understand, the other party can customize your own data more than just get or post! If all users are regulatory
The browser, does not need to guard against such strict, if the other party is not so honest, take the server variable or cook
When IE, be careful, no one can guarantee that the data you get is legal. For cookie, many programs have problems, so they have emphasized more, as for others, those who are concerned may be less, but have you seen or have written this code: SQL = "showhot_com_inst_online_char 2," & Statuserid & ", '" & Membername & ",'" & Memberclass & ", '
"& Request.ServerVariables (" Remote_Host ") &" "& BoardID &", '"& Request.ServerVariables
("Http_user_Agent") & "','" & report (stats, "" "," ") &", '"& recommended.servervariables
("Http_x_forwarded_for") & "" "& UserGroupid &", '"& Actcome &", "& Userhidden &", "& UserID &"
Request.SerVariables ("http_user_agent") is the user agent option you see in Netant, that is, you can forge, and you can also fake the request.servervariables ("http_referer"), that is, you see in Netant. Submit option, and more. When doing some projects, it is likely to add this type of variable into the database, this time is careful, this place is ignored, the consequences of the consequences and other types of variables are not filtered.
Search for both keywords in Google and Request.ServerVariables, you can also see a lot of problematic writing, or to see about the mobile network forum in May.
Invasive article, maybe your understanding will be more profound.
Then there is a problem that is a little bit a little, isn't it the direct input of the user?
This will return to the question left in front, and single quotes replace the potential threat of two single quotes. When the second construction of the SQL statement, if the data is used directly from the database, in most cases, people think that things that have already been processed in front seem to have no need to deal with it, or simply don't realize It should be handled. This is extremely wrong! From two aspects, first, when you enter the library, the single quotes in the submitted data are only guaranteed to ensure the correctness of the single SQL statement constructor, and there is no problem to solve the problem in all; Time, data
The dependence of security check is not guaranteed, as this dependency is not passed, and the dependency itself is still not available.
For Replace ("SomeInput", "'", "'"), its uneasiness is that this filter is just a compromise, in other words, it is only masked in a limited range. Question, without permanent processing. It still has a hateful place to give people an illusion that it seems to be handled, it is easy to make the subsequent code writer produce illusory sense of security. For these two weaknesses, it can be solved by changing a way of writing, because if you simply remove the single quotes, it will bring another problem. What should I do if I do need any need in the data? From the beginning I said that single quotes itself is innocent, filtering it is just a solution, so we still write this, but to strengthen check in the subsequent part. This kind of problem, if you still use the mobile phone forum, I suggest a look at the vulnerability article on June 8.
There is also the location of the filter, which is doped with complex problems in logic issues.
I have been very surprising to find that the Joe Forum spreads a disconnected version of the problem. If you are more interested, you can see a specific action sequence (Action =) if you are more interested.
Flash_view), bypass all the checks for ID.
In fact, this class code is unlikely to have too complex logical structure. When reviewing the code, all branch coverage can be hand-made, as long as you think about it, you will find that the variable is effective. Reach your destination - where the SQL statement is generated.
Regarding the location of the filter, if you want to go deep, you will come out to some things that make people dazzling things, the intermediate analysis is troublesome and very formified, although there is indeed an algorithm to ensure the correctness of the location, but I want to give it here Some concluded things. If you are very interested, I think you can tell me to communicate.
Filtering position, depending on two aspects: You get the source of the variable, and where you need to guarantee the location of the SQL statement. One, whether it is from direct or indirect input, first think about possible input characters; for later one, you have to ensure that the process of filtering statements will be guaranteed to generate SQL statements you need to guarantee The location (guaranteed that it is the backward manner of the effective filtering statement). If you don't know how to judge the process, my suggestion is that only the IF is just that there is no extra thing between the IF nested, and the screwdriver is generated after filtering the SQL statement.
Go back to the potential problem mentioned earlier, we can finally solve it here: Judging first after removing data. Because of the previously said, this indirect input still may happen.
Speaking here, insert an alternative filter position problem: Do not put the filter to the input filtration to the client, it can be bypass! Who can guarantee that your VBScript / JavaScript can work, if others use NC or a browser that does not support scripts?
Two big aspects described above
The glory of software testing is understood that it is clear that there is no exhaustion of all branches. Before using the data submitted by the other party, you can do all the other party may enter the character's analysis list, and then review the type of input branch, this is what each code writer should do. This is a very simple thing, because just the type of review is ok, it is troublesome up in the problem of semantics ...
Third, the type correctly means to release?
If you have a semantic problem, if possible, I choose the best to avoid it.
For example, for a integer number, you are indeed an integer, through the filter, potential problem is legal on your input content, or you should get information from you here? Many years ago, some people have been raised, some registered modules have problems: it is implicitly submitted after the ID is hidden through a Type = Hidden, but I have built the user in the first step, and the second step will be passed. Submit an illegal ID to modify the information of others. This differential problem is very difficult to discover, and almost all rely on experience instead of a specific algorithm. We are in contacting, even thinking that it is more clear, for the input string, it feels that there is no filtering, because the comparison of the collections, the string can accommodate almost all Possible collection. In fact, common is that there is no filtering that creates single quotes, which in turn leads to SQL INJECTION. Strictly speaking, this is also a semantic problem, but for the special circumstances of this, you can guarantee some degree of semantics to ensure a single quotation in the input. So I also repeatedly stressed that single quotes itself is not guilty, but it is a black pot of semantics. Unfortunately, if it is a constant data, there is no such thing as a church black pot, so there is no way to a certain degree of solution. But don't be pessimistic. I have said before, I can avoid it, the bottom of the suction should not make the variable that may have semantic issues as input.
Just considering the database security, all threatened semantics problems are almost in the operation of the database, then we only need to pay attention to the statement such as Update / INSERT, if the security of the data content is considered, SELECT has to count . In general, especially concerned about the conditional statement of the generated WHERE, the semantics of the condition should be determined by the server, not what the user's input is what is. My suggestion is that all of the integer variables that may have semantic issues, it is session, of course, there is no very deep study, maybe some people can propose effective ways like the semantic problems of the pay string, not necessarily . However, it is back, and it is not safe to filter in the semantic level, but more important no one can prove it safe, but everyone now uses no problems, but the default.
To analyze semantics, you will suddenly take a lot of strange things, so I will stop this, I really hope that there is more communication between the peers!
As mentioned earlier, it will be more useful in some remedies for existing code. If it is a software that begins with the frame, the above is only designed for some reference. All vulnerabilities are derived from design defects, and a good software should be proven to be correct, which is difficult but can do. If you have proved the correctness of the software at first, I don't think there will be a leak to give others a diamond.
