spring prevents sql injection

SpringMVC how to prevent XSS, SQL injection attacks

In the data into the database before the illegal character escape, in the update and display of the illegal character to restore the illegal character in the display of the illegal character escape If the project is still in the beginning of the stage, it is recommended to use the second, direct use of the jstl <c:out>; tag can solve the problem of illegal characters. Of course, for the Javascript also need to deal with their own, write a method, in the analysis of data obtained from the server side of the implementation of the following escapeHTML () can be. P.S. Javascript method: String.prototype.escapeHTML=function(){returnthis.replace(/&/g,’&’).replace(/>/g ,’>’).replace(/</g,'<‘).replace(/”/g,'” ‘);}If the project is already developed and you don’t want to change the page in a big way, you can use the first method, 此时需要借助SpringMVC的@InitBinder以及org.apache.commons.lang.PropertyEditorSupport, org. apache.commons.lang.StringEscapeUtilspublicclassStringEscapeEditorextendsPropertyEditorSupport{privatebooleanescapeHTML; privatebooleanescapeJavaScript;privatebooleanescapeSQL;publicStringEscapeEditor(){super();}publicStringEscapeEditor( booleanescapeHTML,booleanescapeJavaScript,booleanescapeSQL){super();this.escapeHTML=escapeHTML;this.escapeJavaScript= escapeJavaScript;this.escapeSQL=escapeSQL;}@OverridepublicvoidsetAsText(Stringtext){if(text==null){setValue(null);}else{ Stringvalue=text;if(escapeHTML){value=StringEscapeUtils.escapeHtml(value);}if(escapeJavaScript){value=StringEscapeUtils. escapeJavaScript(value);}if(escapeSQL){value=StringEscapeUtils.escapeSql(value);}setValue(value);}}@OverridepublicStringgetAsText( ){Objectvalue=getValue();returnvalue!=null?value.toString():””;}}OverridepublicStringgetAsText() {Objectvalue=getValue();returnvalue!=null?value.toString():””;}}OverridepublicStringgetAsText() {Objectvalue=getValue();returnvalue!=null? Spring’s Controller, so that the server can automatically transfer special characters after receiving data. Below we register @InitBinder@InitBinderpublicvoidinitBinder(WebDataBinderbinder){This method can be put directly into the abstractController class, so that each Controller instance can have this method. So far the second method is complete, but in the restoration of the method is not yet available.

How to prevent SQL injection attacks

How to prevent SQL injection attacks?

How to prevent SQL injection attacks?

SQL injection attacks are one of the most common security vulnerabilities in applications. Injection attackers inject malicious scripts into an application’s SQL queries to obtain sensitive data or expose vulnerabilities in the system. If you have a website or application that contains user input, then you need to take some steps to protect against SQL injection attacks. Here are some best practices for preventing SQL injection attacks:

1. Input validation

Input validation is the most basic way to prevent SQL injection attacks. The application must validate and check all user input data to ensure that the input is in the format and type it should be. The most common way to validate data is to use regular expressions. For example, if the user wants to enter a number, it should check to see if it is a number and exclude non-numeric characters. If the application expects to receive text, it should validate that the input is just plain text. The best way to handle input validation is to use frameworks that provide validation rules that are already encapsulated.

2. Command parameterization

Command parameterization is a secure way of querying SQL that protects against SQL injection attacks. When you pass input to a database using command parameterization, the database treats the input as a parameter rather than converting it to SQL code. This means that if someone tries to inject malicious SQL code, the database treats the malicious code as a parameter instead of code, thus avoiding the vulnerability.

3. Reducing the disclosure of error messages

Avoiding sending error messages to clients is another important step in preventing SQL injection attacks. Often, error messages can contain sensitive data that can give an attacker more insight into the structure of the application and database. Since attackers understand the structure of applications and databases, they can more easily import SQL injection attacks. Therefore, you should only send error messages to administrators to check for system errors.

4. Privilege control

Different users need to access different data. Therefore, you should take steps to limit the access rights of users. This means that you should only allow access to the data that the user needs, not the entire database. At the same time, you should allow only the minimum access rights for users to maintain security. Applications should assign permissions to users based on roles.

5. Security Maintenance

You should regularly check your application for vulnerabilities and keep your application security updated. You should also take precautions, such as upgrading software versions and server hardware, to ensure that your applications and databases are functioning properly. In addition, you should take protective measures, such as data encryption, data backup, and security access controls, to ensure that your data is secure.

In summary, SQL injection attacks are a common form of cyberattack, and they are a huge security threat for most organizations. This article lists some best practices against SQL injection attacks that you can take to protect your applications. Finally, reducing the amount of valid input data that is publicly available in your application is one of the most basic and important points to protect against SQL injection attacks.

How to Prevent SQL Injection Attacks

A simple example of a SQL injection attack.


The above statement is a very common SQL statement, his main function is to allow users to enter an employee number and then query the information of the employee. But if this statement is modified by an attacker, it can become a black hand that destroys data. Such as the attacker in the input variables, enter the following content SA001′;droptablec_order –. Then this SQL statement above becomes SELECT*FROMUsersWHEREValue=’SA001′;droptablec_order– when executed.

What does this statement mean? The semicolon after ‘SA001’ indicates the end of one query and the beginning of another statement. c_order The double hyphen after c_order indicates that the remainder of the current line is just a comment and should be ignored. If the modified code is syntactically correct, the server executes the code. The system will process this statement by first executing a query statement to find information about the user with the user number SA001. Then, the data will delete the table C_ORDER (if there are no other related constraints such as primary keys, the delete operation will be successful). As long as the injected SQL code is syntactically correct, there is no way to detect tampering programmatically. Therefore, it is important to validate all user input and scrutinize the code that executes the constructed SQL commands in the server you are using.

II. Principles of SQL injection attacks.

It is evident that SQL injection attacks are very harmful. Before explaining its prevention methods, it is necessary for database administrators to understand the principle of the attack. This is conducive to administrators to take targeted measures to prevent and control.

SQL injection is a relatively common attack on the database. In this attack, the attacker will insert some malicious code into the string. Then the string will be passed to the SQLServer database instance for analysis and execution by various means. As long as this malicious code conforms to the rules of the SQL statement, it will not be detected by the system when the code is compiled and executed.

There are two main forms of SQL injection attacks. One is to directly insert code into the user input variable that is linked to the SQL command and makes it executable. The example given by the author above uses this method. Because it is directly bundled with the SQL statement, it is also known as the direct injection attack method. The second is an indirect attack method, which injects malicious code into a string to be stored in a table or stored as the original document. In the stored string will be connected to a dynamic SQL command to execute some malicious SQL code.

The injection process works by terminating the text string early and then appending a new command. As an example, take a direct injection attack. It is to end the current statement with a semicolon when the user enters a variable. Then just insert a malicious SQL statement. Since the inserted command may append other strings before execution, attackers often terminate the injected string with a comment mark “-“. When executed, the system will consider this statement bit commented, so subsequent text will be ignored and not compiled and executed.

Three, the prevention and treatment of SQL injection attacks.

Since SQL injection attacks are so harmful, how to prevent them? The following suggestions may help database administrators to combat SQL injection attacks.

1. Ordinary users and system administrator user privileges should be strictly differentiated.

If an ordinary user in the use of the query statement embedded in another DropTable statement, then whether it is allowed to execute it? Because the Drop statement is related to the basic objects of the database, so to operate this statement users must have the relevant permissions. In the privilege design, for the end user, that is, the user of the application software, there is no need to give them the database object creation, deletion and other permissions. Then even if they use SQL statements with embedded malicious code, due to the limitations of their user rights, these codes will not be able to be executed. Therefore, when designing the application, it is better to distinguish the system administrator’s user from ordinary users. This minimizes the damage that injection attacks can do to a database.

2. Force the use of parameterized statements.

If, when writing SQL statements, the user inputs a variable that is not directly embedded in the SQL statement. Rather, if this variable is passed through a parameter, then SQL injection attacks can be effectively combated. In other words, user input can never be directly embedded into the SQL statement. Instead, the user input must be filtered or a parameterized statement must be used to pass the user input variable. Parameterized statements use parameters instead of embedding user input variables into the SQL statement. With this measure, most SQL injection attacks can be eliminated. Unfortunately, there are not many database engines that support parameterized statements. However, database engineers should try to use parameterized statements when developing their products.

3. Strengthen the validation of user input.

Overall, there are two ways to combat SQL injection attacks, one is to strengthen the checking and validation of user input; the other is to force the use of parameterized statements to pass user input. In the SQLServer database, there are more user input content validation tools that can help administrators to deal with SQL injection attacks. Test the contents of string variables to accept only the desired value. Reject input content that contains binary data, escape sequences, and comment characters. This helps prevent script injection and prevents certain buffer overflow attacks. Test the size and data type of user input content and enforce appropriate limits and conversions. This helps prevent intentional buffer overflows and has a more pronounced effect on combating injection attacks.

If you can use stored procedures to validate user input. Stored procedures can be used to filter user input variables, such as rejecting special symbols. In the case of the malicious code above, as long as the stored procedure filters out the semicolon, there is no place for this malicious code. Before executing the SQL statement, you can refuse to accept some special symbols through the stored procedure of the database. Without affecting the database application, you should have the database reject input that contains the following characters. Such as the semicolon separator, which is a major accomplice in SQL injection attacks. Such as the comment separator. Comments are only used when the data is designed. Users generally have no need to comment the contents of the query statement, so you can just reject him, usually do so without accidental loss. If you reject these special symbols, then even if there is malicious code embedded in the SQL statement, they will do nothing.

Therefore, always validate user input by testing for type, length, format, and range to filter what the user enters. This is a common and effective measure to prevent SQL injection attacks.

4. Use the security parameters that come with the SQL Server database.

In order to reduce the negative impact of injection attacks on the SQLServer database, the SQLServer database is designed with relatively safe SQL parameters. During the database design process, engineers should try to use these parameters to eliminate malicious SQL injection attacks.

For example, the Parameters collection is provided in the SQLServer database. This collection provides type checking and length validation. If an administrator employs the Parameters collection, user input is treated as a character value and not as executable code. Even if the user input contains executable code, the database will filter it out. This is because the database treats it as a normal character. Another advantage of using the Parameters collection is that it enforces type and length checking, and out-of-range values will trigger an exception. If a user enters a value that does not meet the specified type and length constraints, an exception is thrown and reported to the administrator. As in the above case, if the data type defined for the employee number is string type with a length of 10 characters. The user input is also a character type data, but its length reaches 20 characters. An exception is thrown because the length of the user input exceeds the database field length limit.

5. How do I prevent SQL injection attacks in a multi-tier environment?

In a multi-tier application environment, all data entered by the user should be validated before being allowed into the trusted zone. Data that does not pass the validation process should be rejected by the database and an error message returned to the previous tier. Implementing Multi-Tier Authentication. Precautions taken against aimless malicious users may not be effective against determined attackers. A better approach is to validate input at the user interface and at all subsequent points across the trust boundary. Validating data in the client application, for example, can prevent simple script injection. However, if the next tier believes its inputs have been validated, any malicious user that can bypass the client has unrestricted access to the system. Therefore, for multi-tier application environments, when preventing injection attacks, it is necessary for all tiers to work together and use appropriate measures on both the client and database side to prevent SQL statement injection attacks.

6. Use specialized vulnerability scanning tools, if necessary, to find points of possible attack.

Using a professional vulnerability scanning tool can help administrators to find possible points of SQL injection attacks. However, vulnerability scanning tools can only find points of attack, and cannot actively play a role in defending against SQL injection attacks. Of course, this tool is often used by attackers. For example, attackers can use this tool to automatically search for targets and execute attacks. For this reason, if necessary, enterprises should invest in some professional vulnerability scanning tools. A well-established vulnerability scanner is different from a network scanner, which specializes in finding SQL injection vulnerabilities in databases. The latest vulnerability scanning programs look for newly discovered vulnerabilities. So with a professional tool, it can help administrators find SQL injection vulnerabilities and alert them to take proactive measures to prevent SQL injection attacks. If the database administrators are able to find the SQL injection vulnerabilities that the attackers are able to find and take proactive measures to plug the vulnerabilities, then the attackers will not be able to do anything about it.

What is sql injection and how to prevent it?

Sql injection is in fact in these unsafe controls within the input sql or other database of some statements, so as to achieve the deception of the server to perform malicious to? affect the database data. To prevent sql injection, you can accept the content of the unsafe space to filter out the acceptance of the string within the “‘”, then he is no longer a sql statement, but a zifuc similar to the sql statement, the execution of which will not have a damage to the database.

such as:

username=request(“username”)//get username here is passed through the URL to get the value.

password=request(“password”)//Get the password which is also passed by URL.

sql=”select*fromuserlistwhereusername='”&username&”‘andpassword='”&password&”‘”——–If someone knows that a username is admin, the administrator of someone’s website is often called admin. Often the administrator of someone’s site username is admin, this is the password can choose ‘or1or’,

then sql=”select*fromuserlistwhereusername=’admin’andpassword=”or1or””, obviously 1 is constant really, then verify the password is passed.

Preventing more ways, such as username, password can be restricted to appear in the “‘” these characters, the general site is only allowed to number, character, underscore combination, which can be verified by javascript. You can also take stored procedures instead of sql splicing, and so on.