lostecho/build-web-application-with-golang
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Change sentence structure and fix grammatical errors for 09.4.md [en]

Browse Source
This commit is contained in:
Anchor
2014-10-28 14:08:57 -07:00
committed by James Miranda
parent c9c96258e8
commit d2a57c179a
1 changed files with 22 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

44
en/eBook/09.4.md
View File

@@ -2,15 +2,15 @@
## What is SQL injection
SQL injection attacks (SQL Injection), referred to injection attacks, Web development is the most common form of security vulnerabilities. You can use it to obtain sensitive information from the database, or the use of the characteristics of the process of adding users to the database, export file and a series of malicious actions, there may even get a database as well as the highest authority system users.
SQL injection attacks are (as the name would suggest) one of the many types of script injection attacks. In web development, these are the most common form of security vulnerabilities. Attackers can use it to obtain sensitive information from databases, and aspects of an attack can involve adding users to the database, exporting private files, and even obtaining the highest system privileges for their own nefarious purposes.
SQL injection caused because the program does not effectively filter user input, so that an attacker successfully submitted to the server malicious SQL query code, the program will receive the error after the attacker's input as a part of query execution, leading to the original the query logic is changed, the additional execution of attacker crafted malicious code.
SQL injection occurs when web applications do not effectively filter out user input, leaving the door wide open for attackers to submit malicious SQL query code to the server. Applications often receive injected code as part of an attacker's input, which alters the logic of the original query in some way. When the application attempts to execute the query, the attacker's malicious code is executed instead.
## SQL injection examples
Many Web developers do not realize how SQL queries can be tampered with, so that an SQL query is a trusted command. As everyone knows, SQL queries are able to circumvent access controls, thereby bypassing standard authentication and authorization checks. What is more, it is possible to run SQL queries through the host system level commands.
Many web developers do not realize how SQL queries can be tampered with, and may hold the misconception that they are trusted commands. As everyone knows, SQL queries are able to circumvent access controls, thereby bypassing the standard authentication and authorization checks. What's more, it's possible to run SQL queries through commands at the level of the host system.
The following will be some real examples to explain in detail the way SQL injection.
Let's have a look at some real examples to explain the process of SQL injection in detail.
Consider the following simple login form :
@@ -20,53 +20,53 @@ Consider the following simple login form :
<p><input type="submit" value="Login" /></p>
</form>
Our processing inside the SQL might look like this :
Our form processing might look like this:
username := r.Form.Get("username")
password := r.Form.Get("password")
sql := "SELECT * FROM user WHERE username='" + username + "' AND password='" + password + "'"
If the user input as the user name, password, any
If the user inputs a user name or password as:
myuser' or 'foo' = 'foo' --
Then our SQL becomes as follows:
Then our SQL becomes the following:
SELECT * FROM user WHERE username='myuser' or 'foo'=='foo' --'' AND password='xxx'
In SQL, anything after `--` is a comment. Thus inserting `--` alters the query. This allows the attacker to successful login as a user without a valid password.
In SQL, anything after `--` is a comment. Thus, inserting the `--` as the attacker did above alters the query in a fatal way, allowing an attacker to successfully login as a user without a valid password.
There are far more dangerous for a MSSQL SQL injection, is the control system, the following examples will demonstrate how terrible in some versions of MSSQL database to perform system commands.
Far more dangerous exploits exist for MSSQL SQL injections, and some can even perform system commands. The following examples will demonstrate how terrible SQL injections can be in some versions of MSSQL databases.
sql := "SELECT * FROM products WHERE name LIKE '%" + prod + "%'"
Db.Exec(sql)
If the attacker Submit `a%' exec master..xp_cmdshell 'net user test testpass /ADD' --` prod value as a variable, then the sql will become
If an attacker submits `a%' exec master..xp_cmdshell 'net user test testpass /ADD' --` as the "prod" variable, then the sql will become
sql := "SELECT * FROM products WHERE name LIKE '%a%' exec master..xp_cmdshell 'net user test testpass /ADD'--%'"
MSSQL Server executes the SQL statement, including its back that is used to add new users to the system commands. If this program is run sa and the MSSQLSERVER service sufficient privileges, the attacker can get a system account to access this machine.
The MSSQL Server executes the SQL statement including the commands in the user supplied "prod" variable, which adds new users to the system. If this program is run as is, and the MSSQLSERVER service has sufficient privileges, an attacker can register a system account to access this machine.
> Although the examples above is tied to a specific database systems, but this does not mean that other database systems can not implement a similar attack. In response to this vulnerability, as long as the use of different methods, various databases are likely to suffer.
> Although the examples above are tied to a specific database system, this does not mean that other database systems cannot be subjected to similar types of attacks. The principles behind SQL injection attacks remain the same, though the method with which they are perpetrated may vary.
## How to prevent SQL injection
Perhaps you will say the attacker to know the database structure information in order to implement SQL injection attacks. True, but no one can guarantee the attacker must get this information, once they got, the database exists the risk of leakage. If you are using open source software to access the database, such as forum, the intruders easily get the related code. If the code is poorly designed, then the risk is even greater. Currently Discuz, phpwind, phpcms popular open source programs such as these have been precedents of SQL injection attacks.
You might be thinking that an attacker would have to know information about the target database's structure in order to carry out an SQL injection attack. While this is true, it's difficult to guarantee that an attacker won't be able to find this information and once they get it, the database can be compromised. If you are using open source software to access the database, such as a forum application, intruders can easily get the related code. Obviously with poorly designed code, the security risks are even greater. Discuz, phpwind and phpcms are some examples of popular open source programs that have been vulnerable to SQL injection attacks.
These attacks happen when safety is not high on the code. So, never trust any kind of input, especially from the user's data, including the selection box, a hidden input field or a cookie. As a first example above it, even if it is a normal query can cause disasters.
These attacks happen to systems where safety precautions are not prioritized. We've said it before, we'll say it again: never trust any kind of input, especially user data. This includes data coming from selection boxes, hidden input fields or cookies. As our first example above has shown, even supposedly normal queries can cause disasters.
SQL injection attacks harm so great, then how to combat it ? Following suggestions may be the prevention of SQL injection have some help.
SQL injection attacks can be devastating -how can do we even begin to defend against them? The following suggestions are a good starting point for preventing SQL injection:
1. Strictly limit the operation of the Web application database permissions to this user is only able to meet the minimum permissions of their work, thus to minimize the harm to the database injection attacks.
2. Check whether the data input has the expected data format, and strictly limit the types of variables, such as using some regexp matching processing package, or use strconv package right string into other basic types of data to judge.
3. Pairs of special characters into the database ( '"\&*; etc. ) be escaped, or transcoding. Go to `text/template` package inside the `HTMLEscapeString` function can be escaped strings.
4. All the recommended database query parameterized query interface, parameterized statement uses parameters instead of concatenating user input variables in embedded SQL statements that do not directly spliced SQL statement. For example, using `database/sql` inside the query function `Prepare` and `Query`, or `Exec(query string, args... interface {})`.
5. In the application before releasing recommend using a professional SQL injection detection tools to detect, and repair was discovered when a SQL injection vulnerability. There are many online open source tool in this regard, for example, sqlmap, SQLninja so on.
6. Avoid printing out SQL error information on webpage in order to prevent an attacker using these error messages for SQL injection. Ex. such as type errors, and fields not matching, or any SQL statements.
1. Strictly limit permissions for database operations so that users only have the minimum set of permissions required to accomplish their work, thus minimizing the risk of database injection attacks.
2. Check that input data has the expected data format, and strictly limit the types of variables that can be submitted. This can involve regexp matching, or using the strconv package to convert strings into other basic types for sanitization and evaluation.
3. Transcode or escape from pairs of special characters ( '"\&*; etc. ) before persisting them into the database. Go's `text/template` package has a `HTMLEscapeString` function that can be used to return escaped HTML.
4. Use your database's parameterized query interface. Parameterized statements use parameters instead of concatenating user input variables in embedded SQL statements; in other words, they do not directly splice SQL statements. For example, using the the `Prepare` function in Go's `database/sql` package, we can create prepared statements for later execution with `Query` or `Exec(query string, args... interface {})`.
5. Before releasing your application, thoroughly test it using professional tools for detecting SQL injection vulnerabilities and to repair them, if they exist. There are many online open source tools that do just this, such as sqlmap, SQLninja, to name a few.
6. Avoid printing out SQL error information on public webpages. Attackers can use these error messages to carry out SQL injection attacks. Examples of such errors are type errors, fields not matching errors, or any errors containing SQL statements.
## Summary
Through the above example we can know, SQL injection is harmful to considerable security vulnerabilities. So we usually write for a Web application, it should be for every little detail must attach great importance to the details determine the fate of life is so, writing Web applications as well.
Through the above examples, we've learned that SQL injection is a very real and very dangerous web security vulnerability. When we write web application, we should pay attention to every little detail and treat security issues with the utmost care. Doing so will lead to better and more secure web applications, and can ultimately be the determing factor in whether or not your application succeeds.
## Links