Mysql Tutorial

mysql advanced (twenty-four) summary of methods to defend against SQL injection

黄舟

Feb 11, 2017 am 10:53 AM

Summary of methods to defend against SQL injection

This article mainly explains the methods to defend against SQL injection, introduces what injection is, what is the reason for injection, and how to defend. Need Friends can refer to it.

SQL injection is a very harmful form of attack. Although the harm is great, defense is far less difficult than XSS.

SQL injection can be found at: http://www.php.cn/

The reason why SQL injection vulnerabilities exist is to splice SQL parameters . That is, the query parameters used for input are directly spliced into the SQL statement, resulting in SQL injection vulnerabilities.

1. Demonstrate classic SQL injection

## We see: select id ,no from user where id=2;

If the statement is obtained by splicing sql strings, for example: String sql = "select id,no from user where id=" + id;

The id is a parameter entered by the user. Then, if the user enters 2, then we can see a piece of data found above. If the user enters 2 or 1=1, a SQL injection attack will be carried out.

So you can see that the above statement (select id,no from user where id=2 or 1=1;) has found all the records in the user table.

This is a typical sql injection.

Look at another column:

## We see that the table sqlinject can be deleted directly through sql injection ! The dangers can be seen!

2. Reasons for sql injection

The reason for sql injection is that on the surface it is because strings are spliced to form sql statements, and sql statements are not precompiled and bound. caused by fixed variables.

But the deeper reason is that the string entered by the user is executed as a "sql statement".

For example, the above String sql = "select id,no from user where id=" + id;

We hope that the value of the id entered by the user is only passed as a string literal value. Enter the database for execution, but when 2 or 1=1 is entered, or 1=1 is not used as the literal value of where id=, but is executed as a sql statement. So its essence is to execute the user's input data as a command.

3. Defense against sql injection

1> Basically everyone knows that using sql statements to precompile and bind variables is the best way to defend against sql injection. But not all of the underlying reasons are understood.

String sql = "select id, no from user where id=?";

PreparedStatement ps = conn.prepareStatement(sql);

ps.setInt(1, id);

ps.executeQuery();

As shown above, it is a typical use of sql statement precompilation and bind variables. Why can this prevent sql injection?

The reason is: using PreparedStatement, the SQL statement: "select id, no from user where id=?" will be pre-compiled, that is, the SQL engine will perform syntax analysis in advance and generate a syntax tree. Generate an execution plan, that is to say, the parameters you enter later, no matter what you enter, will not affect the syntax structure of the SQL statement, because the syntax analysis has been completed, and syntax analysis mainly analyzes SQL commands, such as select ,from ,where ,and, or ,order by etc. So even if you enter these sql commands later, they will not be executed as sql commands, because the execution of these sql commands must first pass syntax analysis and generate an execution plan. Now that the syntax analysis has been completed, it has been precompiled. , then the parameters entered later are absolutely impossible to execute as sql commands, and will only be treated as string literal parameters. Therefore, SQL statement precompilation can prevent SQL injection.

2> However, not all scenarios can use sql statement precompilation. Some scenarios must use string splicing. At this time, we strictly check the data type of the parameters, and we can also use some safety functions to do this. sql injection.

For example, String sql = "select id,no from user where id=" + id;

When receiving parameters entered by the user, we strictly check the id, which can only be int type . Complex situations can be determined using regular expressions. This can also prevent sql injection.

The use of safe functions, such as:

MySQLCodec codec = new MySQLCodec(Mode.STANDARD);

name = ESAPI.encoder().encodeForSQL(codec, name) ;

String sql = "select id,no from user where name=" + name;

ESAPI.encoder().encodeForSQL(codec, name)

This function Some special characters contained in the name will be encoded, so that the SQL engine will not treat the string in the name as a SQL command for syntax analysis.

Note

In actual projects, we generally use various frameworks, such as ibatis, mybatis, hibernate, etc. They generally default to sql precompiled. For ibatis/mybatis, if you use the form #{name}, then it is sql precompiled. If you use ${name}, it is not sql precompiled.

The above is a summary of SQL injection defense methods. I hope it will be helpful to everyone’s future study.

Beautiful text and beautiful pictures

##The above is MySQL Advanced (24) Summary of methods to defend against SQL injection. For more related content, please pay attention to the PHP Chinese website (www.php.cn)!

Statement

The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn

What are stored procedures in MySQL?May 01, 2025 am 12:27 AM

Stored procedures are precompiled SQL statements in MySQL for improving performance and simplifying complex operations. 1. Improve performance: After the first compilation, subsequent calls do not need to be recompiled. 2. Improve security: Restrict data table access through permission control. 3. Simplify complex operations: combine multiple SQL statements to simplify application layer logic.

How does query caching work in MySQL?May 01, 2025 am 12:26 AM

The working principle of MySQL query cache is to store the results of SELECT query, and when the same query is executed again, the cached results are directly returned. 1) Query cache improves database reading performance and finds cached results through hash values. 2) Simple configuration, set query_cache_type and query_cache_size in MySQL configuration file. 3) Use the SQL_NO_CACHE keyword to disable the cache of specific queries. 4) In high-frequency update environments, query cache may cause performance bottlenecks and needs to be optimized for use through monitoring and adjustment of parameters.

What are the advantages of using MySQL over other relational databases?May 01, 2025 am 12:18 AM

The reasons why MySQL is widely used in various projects include: 1. High performance and scalability, supporting multiple storage engines; 2. Easy to use and maintain, simple configuration and rich tools; 3. Rich ecosystem, attracting a large number of community and third-party tool support; 4. Cross-platform support, suitable for multiple operating systems.

How do you handle database upgrades in MySQL?Apr 30, 2025 am 12:28 AM

The steps for upgrading MySQL database include: 1. Backup the database, 2. Stop the current MySQL service, 3. Install the new version of MySQL, 4. Start the new version of MySQL service, 5. Recover the database. Compatibility issues are required during the upgrade process, and advanced tools such as PerconaToolkit can be used for testing and optimization.

What are the different backup strategies you can use for MySQL?Apr 30, 2025 am 12:28 AM

MySQL backup policies include logical backup, physical backup, incremental backup, replication-based backup, and cloud backup. 1. Logical backup uses mysqldump to export database structure and data, which is suitable for small databases and version migrations. 2. Physical backups are fast and comprehensive by copying data files, but require database consistency. 3. Incremental backup uses binary logging to record changes, which is suitable for large databases. 4. Replication-based backup reduces the impact on the production system by backing up from the server. 5. Cloud backups such as AmazonRDS provide automation solutions, but costs and control need to be considered. When selecting a policy, database size, downtime tolerance, recovery time, and recovery point goals should be considered.

What is MySQL clustering?Apr 30, 2025 am 12:28 AM

MySQLclusteringenhancesdatabaserobustnessandscalabilitybydistributingdataacrossmultiplenodes.ItusestheNDBenginefordatareplicationandfaulttolerance,ensuringhighavailability.Setupinvolvesconfiguringmanagement,data,andSQLnodes,withcarefulmonitoringandpe

How do you optimize database schema design for performance in MySQL?Apr 30, 2025 am 12:27 AM

Optimizing database schema design in MySQL can improve performance through the following steps: 1. Index optimization: Create indexes on common query columns, balancing the overhead of query and inserting updates. 2. Table structure optimization: Reduce data redundancy through normalization or anti-normalization and improve access efficiency. 3. Data type selection: Use appropriate data types, such as INT instead of VARCHAR, to reduce storage space. 4. Partitioning and sub-table: For large data volumes, use partitioning and sub-table to disperse data to improve query and maintenance efficiency.

How can you optimize MySQL performance?Apr 30, 2025 am 12:26 AM

TooptimizeMySQLperformance,followthesesteps:1)Implementproperindexingtospeedupqueries,2)UseEXPLAINtoanalyzeandoptimizequeryperformance,3)Adjustserverconfigurationsettingslikeinnodb_buffer_pool_sizeandmax_connections,4)Usepartitioningforlargetablestoi

See all articles