First, what is SQL injection attack? The so-called SQL injection attack is that the attacker inserts the SQL command into the input domain of the web form or the query string requesting the page request, and the spoofing server performs malicious SQL commands. In some forms, the content entered by the user is directly used to construct (or influence) dynamic SQL commands, or as input parameters of the stored procedure, such forms are particularly susceptible to SQL injection attacks. Common SQL injection attack processes such as: (1) There is a login page with an ASP.NET web application. This login page controls whether the user has access to the application, which requires the user to enter a name and password. (2) The content entered in the login page will be used directly to construct the dynamic SQL command, or directly as the parameters of the stored procedure. Below is an example of an ASP.NET application constructor:
System.Text.StringBuilder Query = new system.text.stringbuilder
"Select * from users where login = '")
.Append (txtLogin.text) .append ("'and password ='")
.Append (txtpassword.text) .Append ("'); (3) Enter"' or '1' 1 "in the user name and password input box.
⑷ After the user entered content submits to the server, the server runs the above ASP.NET code constructs a query user's SQL command, but because the content of the attacker is very special, the final SQL command becomes: SELECT * FROM WHERE Login = '' or '1' = '1' and password = '' or '1' = '1'. ⑸ The server performs the query or stored procedure, compares the identity information entered by the user and the identity information saved in the server. ⑹ Since the SQL command has actually been injected to attack modifications, it is no longer able to actually verify the user identity, so the system will be incorrectly authorized to the attacker. If an attacker knows that the application will use the content entered in the form directly to verify the identity query, he will try to enter some special SQL string tapentation queries to change its original function, and spoof the system to grant access. The system environment is different, and the damage that the attacker may have different, which is mainly determined by the security privilege of the application access database. If the user's account has an administrator or other premium permissions, an attacker may perform a variety of operations he want to do, including add, delete, or update data, and may even delete the table directly. Second, how to prevent? Fortunately, it is not a particularly difficult thing to prevent ASP.NET applications, which is not a particularly difficult thing, as long as the SQL command is constructed with the contents of the form input, it is possible. Filtering input can be done in a variety of ways. (1) For the event of dynamically constructing SQL query, you can use the following technique:
