[人力资源管理]Advanced_Topics_on_SQL_Injection_Protection.ppt

Advanced Topics on SQL Injection Protection Sam NG CISA, CISSP SQLB samng@ Introduction SQL injection [1, 2] is now one of the most common attacks in the Internet. Simply go to Yahoo! or Google and search for SQL injection and we can find tones of related documents. Although the awareness of SQL injection is rising, still many people do not have very concrete ideas on how to prevent SQL injection attack. This article is not going to tell you what is SQL injection, nor going to tell you the latest techniques in SQL injection attacks, but more important, how to prevent SQL injection correctly and in a more integrated approach. Methods to prevent SQL Injection Input Validation Static query statement Least Privilege Code Verification Web Application Gateway SQL Driver Proxy MISC methods Methods to prevent SQL Injection Input Validation Static query statement Least Privilege Code Verification Web Application Gateway SQL Driver Proxy MISC methods Method 1: Input Validation Some programmers may think escaping apostrophe with two apostrophes (and back slash with two back slashes for MySQL) is all input validation has to do This is completely WRONG! A few important steps are missed and probably the program is still vulnerable to SQL injection. Method 1: Input Validation (cont’d) There are at least four steps we have to do for input validation Escape apostrophe with two apostrophes (and back slash with two back slashes for MySQL) Make sure numeric fields really look like numbers Do step “1 and “2 not only on users direct input, but on all non-constant variables Check if the inputs are within your expectation (e.g. 0 age 120, login id without space, etc.) 1.1: Escape inputs properly Escaping apostrophe with two apostrophes (or back slash with two back slashes for MySQL) usually can be done with one line of code. However, we have to ensure that the decoding is done in the correct order. To avoid SQL injection properly, the apostrophe-escaped input should NOT be furthe