怪我咯2017-04-17 16:25:38
WAF and OneRASP are both effective against SQL injection. WAF is placed in front of the application and can better prevent SQL injection through matching rules. However, because we don’t know how SQL statements are specifically used in the application, we only rely on partial It is not enough to judge whether it is SQL injection based on parameters. This requires administrators to have sufficient knowledge of the application and make very complex configurations for the application, which also results in a relatively high accidental kill rate.
OneRASP injects the protection program into the application like a vaccine and runs together with the application. It is familiar with the context of the application and protects it in the JDBC statement program. On the one hand, it can completely see the entire SQL statement, and at the same time It's clear what the results are. This is very basis for judging whether it is injection. It also makes the manslaughter rate very low.
OneRASP has many other advantages. Interested students please visit www.oneASP.com, or search on Baidu.
大家讲道理2017-04-17 16:25:38
Obviously everyone knows about parameterization. So how can we do parameterization well? If your query is not so complex that it requires string construction of SQL (such as recursion or dynamic level join), then almost all situations can be solved using the following methods:
1. SQLServer puts the data together with the stored procedure. In fact, this can also synchronize data and packaging, and there is no need to change both ends. When the schema changes, the entire update can be transacted.
2. The client (or your website) only accesses stored procedures.
3. Only enable execute permissions for your client so that it can only access stored procedures.
Using the stored procedure is basically letting the database do the parameterization for you, so you won’t make any mistakes. And this method will not cause problems when you need to construct sql from a string, because sql can also be constructed in the stored procedure, and it is particularly convenient to parameterize this sql structure.
All injection problems are solved automatically.
PHPz2017-04-17 16:25:38
I think that since you have understood that the website may have the risk of injection vulnerabilities, you must have understood the principle of injection; therefore, I think if you don’t want to think about how to filter those complex and insightful injection statements, I I think the best way is to use ORM instead of using the old database query method! If you are using java to write the backend, then Hibernate will be a framework worth trying!
天蓬老师2017-04-17 16:25:38
Try not to directly use the obtained data to splice SQL for database access
If there is a useful framework, such as Struts, you can customize the interceptor for interception
Use ORM framework
PHP中文网2017-04-17 16:25:38
Rookie here to answer: Give me a simple sql injection method
//接收参数
String user=getParam(request,"user","");
String password=getParam(request,"pswd","");
//拼装sql
String checkSql="select * from user where username='"+user+"' and password ='"+password+"'";
//请求地址
String getUrl="xxx.jsp?user=admin&password=1' or '1'='1";
获取参数合成后的sql变成了
select * from users where userid='admin' and passwd='1' or '1'='1'
这条SQL将会返回所有users数据。也许你的接口就真的把这个user数据给返回过来了。