Available online at www.sciencedirect.

com

Procedia Engineering 15 (2011) 4131 – 4135

$GYDQFHGLQ&RQWURO(QJLQHHULQJDQG,QIRUPDWLRQ6FLHQFH

SQL injection attack and guard technical research

XuePing-Chen *
Chongqing College of Electronic Engineering Chongqing 401331,China

Abstract

due to the various Web server vulnerabilities and procedure of the rigor leads to a Web server script for
attacks was increasing, its are mostly through the ASP or PHP scripting injection such as a major attack means,
plus Web site rapid expansion of today, based on both the SQL injection also slowly become the mainstream way.
Attack SQL injection is to use the insert harmful character attack technology. The attacker using programmers to
user input data legitimacy detection not strictly or not detection characteristics, deliberately in a different way from
client submit special code to manipulate data, thus collection procedures and server information, obtain the desired
information. This paper briefly introduces the concept of SOL injection attack and principle, and the realization
process of SQL injection attack, and on this basis describes how to detect SQL injection attack, summarizes the
general SQL injection attack prevention methods. And the ASP website platform system injection attack
prevention technology examples are analyzed, make prevent SQL injection technology in the practical application
of web security system plays a better, more effectively resist hackers and other malicious damage.

© 2011 Published by Elsevier Ltd. Open access under CC BY-NC-ND license.

Selection and/or peer-review under responsibility of [ceis]
Keywords: Web site safety, SQL injection, website protection

1.Introduction

With the spread of the Internet and the WEB's rapid development, WEB applications not only
improved the efficiency of work and enterprise strengthens the enterprise market competitiveness. Web
platform have flexible, efficient, low cost and other information superiority has greatly improved the
related department work efficiency, and promote the actual business thorough development, enhance
the department and the outside world exchange, service and interaction. Our country's computer
industry after more than ten years of development, the national industry production management
system, are based on the Internet architecture, in the country's defense engineering, government office,
financial systems, to network games, online banking, network transactions, is inseparable from the
network. Today's Internet has become the indispensable part in life. How to effectively ensure network
stability and safety operation is an important topic, also is the various network managers have a
headache problem.

*
Corresponding author. Tel.: +8613108981102.
E-mail address: [email protected].

1877-7058 © 2011 Published by Elsevier Ltd. Open access under CC BY-NC-ND license.
doi:10.1016/j.proeng.2011.08.775
4132 XuePing-Chen / Procedia Engineering 15 (2011) 4131 – 4135

2.Sql Injection Background And Network Environment

Because of various Web server vulnerabilities and procedure of not strict, the cause for Web
server script attacks was increasing, its are mostly through the ASP or PHP scripting injection such as a
major attack means, plus Web station quantity development is rapid, based on SQL injection attack has
become the mainstream of the attack, while the Web server compilation process prevalent the
scriptwriter ignore program code safety testing phenomenon, resulting in a large number of providing
interactive operation loopholes in the Web server, including at least 70% of SQL injection site exists,
the defects of malicious users can use the server, database configuration the defects and elaborate
structure of illegal statements through programs or scripts invading server obtain website administrator
permissions and obtain the relevant database content, serious still can obtain the whole server where
the connection system information, and exist not only a serious threat to information from a database,
and even threat systems and users itself.

3.Web Security Situation

With the deepening of the network applications, the Internet website quantity with amazing speed
increase. Whether government departments, enterprises and various management agencies, through the
website to establish various information platform for various business applications. Website is
information release center, its database to store has a large amount of for users to share the important
information and materials. Therefore, to ensure the normal operation of the web site, the security is
website construction and operation process should be fully considered important issues. Although the
Internet application scale developed rapidly, but the complexity of the network environment, and
information system, variability of vulnerability, decide the existing computer system still does not have
with own application development scale of corresponding security protection ability, a large number of
online threats USES all sorts of hidden way constantly pounding network application platform.
Network security problems are not reflected in the technical level of information counter, in actual
social activities, threat generated more from the huge interest drive.
(1) website unauthorized access
Internet is an open, no control agency network, based on TCP/IP protocol Internet protocol families
own open great place show various computer networking and interconnection and directly, and
promoted the rapid development of Internet technology. But as in the early network protocol design
neglect the safety, cause Internet in use and management of chaos, and gradually make the Internet
itself of safety and security has been threatened. Hackers (Hacker) often get the chance to intrude into
the computer on the network system, or stolen confidential data and theft privilege, or destroy the
important data, or make the system function not fully exert until paralysis.
Website unauthorized access to web security will be fatal, and its harm degree is the largest.
System password simple and short, operating system of various vulnerabilities, various applications
software defect, the default Shared folder, a large number of network application service of opening,
safety level set too low for hackers illegal invasion will offer a convenient.
(2) information security management
Information security management including physical protection and application of protection.
Physical protection referred for information in network of physical equipment installed in the physical
environment barriers, prevent from physical lines of electromagnetic signals eavesdropping. In network
management center, important data exchange and data storage place, according to confidential
construction requirements, and set up standard, relatively independent network exchange center and
important switching nodes, adopt anti-static grounding, physical shield or preventing electromagnetic
interference and other measures to restrain data exchange of electromagnetic radiation signals, thus
achieved the diffusion and prevent information was illegally physical eavesdropping. Application
protection refers to the electronic information system in the application of various links shielding. At
present in the Web server on electronic information stored in the database most in computer, in
response to various Web application requirement, the computer storage and transmission and
processing of electronic information, not yet as traditional email communication as the envelope
protection and signature. Sources of information are true or not, and whether to be content, as well as
whether leak changes etc. Are all aspects of management safety problems.
(3) of network virus spread
 XuePing-Chen / Procedia Engineering 15 (2011) 4131 – 4135 4133

With the expanding of network size, computer network virus to site the threat of a bigger role. Network
virus spread on the Internet very fast, and its harm is enormous.

4.Sql Injection Network Environment Is Introduced

SOL Server system is injection attack obtain sensitive information, the major source of Server
system and also into the connection diving-board. SOL Server Server is Microsoft company makes a
comprehensive database management system platform, the integration of various tools and can provide
user level, of enterprise-level data management. SQL Server Server is recognized run on Windows on
the platform of the best database. It has a symmetric multiprocessor structure, pre-emptive multitasking
management, perfecting the fault tolerant and restore ability. SQL Server Server is to a wide range of
corporate clients and creating commercial application independent software vendors special design of
C/S (client/Server) data management platform, whether in database structure, using methods and data
management mode, fully embodies the convenience of customers and meet the needs of the user
characteristics. Injection attack using security vulnerabilities are also much from these meet the needs
of the user, structure and function, such as internal function calls for the convenience of malicious
attackers are provided -ried the potential operating system.

5.Sql Injection Attack Technical Analysis

With C/S (client/server) model development, use this technique writing web applications will be
more and more. Web server as now enterprise and individual information exchange, the main media
access to any of the personnel are available to the general public, plus due to current network
programmers safety consciousness is uneven, quite part of server code without considering the input
information security filters, make the Web server and database server program there are serious
security hidden danger, a malicious user can use this to obtain server front-end and back-end control
privileges, injection attack is held the present server exist interactive interfaces characteristics, through
the client browser submit carefully constructed deformity statement, a server interaction analytical
processing to achieve the purpose of attack.
(1) SQL injection principle
Below we start from a website www.XXX.com introduction. We opened address
http://www.xxxx.com/showdetail.asp? Id = 54 web, we at this address behind plus single quotes', the
server returned the following error:
Microsoft JET Database search string 80040e14 'mistakes' grammatical mistakes in query expressions'
ID = 54'. / showdetail. Asp, line 8
From this error message we can see below when:
1). Site is used by JET engines Access database, connect to database, not by ODBC.
2) program without judgment, client data submitted whether to conform to the program requirements.
3) the SQL query on the table has a name ID's fields.
From the above example we can know, SQL injection of principle, is from the client submit special
code to collect procedures and server information, thus obtaining you thought of information obtained.
(2), judgement can carry on the SQL injection
Through the above, you may feel: such tests can inject method is very simple.
Actually, this is not the best method for the following reasons:
First, not all server IIS return specific error to the client, if the program added cint (parameters), if
such statement is not successful SQL injection, but the server will also error, and specific message for
while dealing with URL make mistakes on the server. Please contact with system administrator.
Second, part of the SQL injection know a little bit about programmer, as long as the single quotes
filters are safe, this kind of circumstance is not for a few, if you use single quotes testing, is less than
injection points of measurement.
Through the following method for testing.
ķ ttp://www.xxxx.com/showdetail.asp?id=54
ĸ http://www.xxxx.com/showdetail.asp?id=54 ;and 1=1
Ĺ http://www.xxxx.com/showdetail.asp?id=54 ;and 1=2
This is the classic 1 = 1, 1 = 2 test method, through the top three url return results will know whether can SQL injection.
Injection can form of expression is as follows:
ķ display properly
ĸ normal showed that content of basic and ķthe same
4134 XuePing-Chen / Procedia Engineering 15 (2011) 4131 – 4135

Ĺ tips BOF or EOF (program didn't

do any judgement), or clew cannot
find a record (judgement rs. EOF),
or display content is empty .
If you can't injection is as follows: ķalso hints, ĸ andĹ the normal shows usually have the process
definition of error, or tip type conversion errors.
(3) to judge the database type and inject method
Different database function, injection method is different, so while injecting before, we must judge the
database type. General ASP most often tie-in SQLServer database is Access and, on the net more than
90 percent of the website is one of them.
SQL Server has some system variables, if the Server IIS tips didn't close and SQL Server returns error, if it
can be directly from the error information acquisition, the method is as follows:
http://www.xxxx.com/showdetail.asp?id=54 ;
and user>0
This statement is very simple, but it contains a unique infuse the essence of SQLServer method, we
analyzed its meaning: first, in front of the statement is normal, the key is in and user > 0, user is a SQL
Server built-in variables, its value is the current connection user name, type for nvarchar. Take a
nvarchar value of several 0 compared with int, the system will first tried to convert the value nvarchar
int type, of course, turn the process will certainly go wrong, SQLServer of error hint is: will nvarchar
value "ABC" conversion of data types for int column occurs when grammar mistakes, ABC is variable
user value, so, we were given database user name.
SQL Server user sa a equivalent Adminstrators permissions role, got the sa permissions, almost
certainly can get a host of Administrator. The method above can easily tested whether use sa login,
must pay attention: if is sa login, tip is to "convert" dbo int column errors occur, rather than "sa".
If the server IIS don't allow returns error, that how to identify type of database? What can we learn
from Access and SQL Server and differences of Access and SQL Server has its own system tables,
such as deposit database all objects in the table, the Access is msysobjects] [system tables, but in Web
environment read the table will be prompted "have no jurisdiction", sysobjects SQLServer is in the
table, in Web environment can be normal loading.
Upon confirmation of injection can use the following statement:
http://www.xxxx.com/showdetail.asp?id=54 ;
and (select count(*) from sysobjects)>0
http://www.xxxx.com/showdetail.asp?id=54 ;
and (select count(*) from msysobjects)>0
If SQLServer database is, then the first web
pages with the original page
http://www.xxxx.com/showdetail.asp?id= 54
Is roughly the same, And the second url, unable to find a table msysobjects prompting to go wrong,
page also with the original page is totally different.
If a database used is the Access, then situation is different,
the first web pages with the original page really different.
The second site, then according to the database setting is
allowed to read this system tables, generally is not allowed,
so with the original site is completely different. In most cases,
with the first site that point can be used type of database system,
the second site only as open IIS error when validation.
(4) SQL injection of the shipunloaders
First, the judge environment, seeking injection points, judgment, this type of database in front have
introduced.
Secondly, according to inject parameter types, analysis the SQL statement the colony, introduced by type
parameters are as follows:
(A) ID = 54 this kind of injection parameters are digital type, SQL statements colony roughly as
follows:
Select * table name where Field = 54
The injection of parameters for ID = 54], [inquires the conditions]. That is generated sentence:
Select * table name where Field = 54 And [inquires the condition].
(B) Class= documentary This kind of injection parameters is
character type, SQL statements killjoy himself is as follows:
 XuePing-Chen / Procedia Engineering 15 (2011) 4131 – 4135 4135

Select * table name where Field =’Documentary’

The injection of parameters for class = documentary 'and [inquires the condition] and ‘’=’ ˈThat is generated
sentence:
Select * table name where Field = 'documentary 'and [inquires the condition] and ‘’=’’
(C) search when no filter parameters, such as keyword = keyword, SQL statements colony roughly as follows:
Select * table name where fields like '% keyword %'
The injection of parameters for the keyword = 'and [inquires the condition] and the' % '= 25', That is generated
sentence:
Select * table name where fields like '%' and [inquires the condition] and '%' = '%'
Then, will query condition replaced with SQL statements, guess table name, such as:
ID=54 And (Select Count(*) from Admin)>=0
If your pages with ID = 54 of the same that additional condition was established, namely the data table
Admin exist, conversely, does not exist. So circulates, until guessed the table name so far. The table
name guess, will Count (*) replaced the Count (field name), use the same principle to guess solution
fields. Finally, in the table name and listing guess solution succeeds, then use the SQL statement, it is
concluded that the value of the field

6. Preventive Methods

(1)The use of parameterized lactobacillus colonisation statement

To defense SQL injection, user input is absolutely cannot directly to be embedded SQL statements.
On the contrary, the user input must be filtered, or use of parameterized statement. Parametric
statements and not use parameters user input into the statement. In most cases, the SQL statement was
fixed. Then, the user input will be limited to a parameter.
(2)To avoid using explain program, because that's what hackers to perform an illegal means of
command.
(3) Prevent SQL injection, and avoid some detailed error messages, because the hackers can use the
information. To use a standard input mechanism to verify all confirmed the input data of length, type, a
statement, enterprise rules, etc.
(4)Using professional vulnerability scanning tools.

7.Conclusion

In this paper the SOL injection attack method, principle and attack implementation process is
discussed and summarized in this paper, due to a SQL injection attack is for application development
process of the programming loophole, so for the vast majority of firewall speaking, this kind of attack
can be bypassed. Although the database server version has been updated, various scripting language
itself fewer vulnerabilities, but as SOL injection technology unceasing enhancement, as long as the
Web application system or source still existed in such loophole, will lurk this concern, especially when
SOL injection attack with some other attack tool with, the server and system are huge threat.

Therefore, the study SQL injection attack prevention methods, pay attention to the safety of SOL
Server configuration, strengthening the code to user input information filtering check to develop safe
Web applications has important significance. With the development of network security technology,
also need to SQL injection attack technology to do further research, due to the SQL injection technique
quite flexible, in injection time will come across many unexpected situation. Therefore in seting up
Web server to overall consideration host and the security of the system, set up the server and the
database security options, completes the code's safety inspection work, so that we can do to prevent this,
the greatest degree realizes network security.

REFERENCES

[1]. ZhangZhuo lj The SQL injection attack technology and preventive measures researchNJ2-4 2007.01
[2]. ZhouWenYu ljBased on preventing SQL injection network security technology analysis and applicationNJ43-50 2010.06
[3].xiaozhu ljThe SQL injection into holes of ASP too mystierious full contactNJ2005.01