我试图对我的系统的登录单元进行压力测试。我的系统是这样设计的 -
如果用户输入 userid - abcd 和密码 pass,那么服务器将获取这些参数并准备一个 sql 命令并将其发送到 microsoft 数据库 -
select password from UserInformationTable where userid = 'abcd';
返回的值与给定的密码 pass 进行比较,然后结果是发送给客户端。
我使用以下方法成功侵入系统 -
用户输入用户 ID - >。这有效,我的完整 UserInformationTable 被删除。
有没有什么优雅的方法来处理这样的黑客问题?一种方法是检测用户 ID 中的“或”子字符串,但我觉得这不太优雅。有什么办法可以限制不。 microsoft sql 语句中的查询数量?
谢谢和问候,
拉兹
I was trying to stress test my system's login unit. My system is designed like this -
if the user enters userid - abcd and password pass then the server takes these parameters and prepares an sql command and fires it to the microsoft database-
select password from UserInformationTable where userid = 'abcd';
The returned value is compared with the given password pass and result is then sent to the client.
I successfully broken into the system using the following method -
user enters userid - <abcd1 or drop table UserInformationTable >. This worked and my complete UserInformationTable got dropped.
Is there any graceful way of handling such a hacking problem. One way is to detect 'or' substring in the userid, but I did not find this very graceful. Is there any way I can restrict the no. of queries in a statement in microsoft sql ?
Thanks and Regards,
Radz
发布评论
评论(3)
这就是著名的“Bobby Tables”漫画所说明的 SQL 注入问题。
这里 是有关如何修复 MS SQL 的一些信息。特别阅读@Rook的回答。
This is the SQL injection problem illustrated by the famous "Bobby Tables" cartoon.
Here is some info on how to fix it for MS SQL. Read especially @Rook's answer.
你有两个问题。
正如其他用户所描述的,您受到 SQL 注入攻击。通过清理您的输入和/或使用参数化查询来解决该问题。
您不应存储或传输纯文本密码。为什么?请参阅 Slashdot。此问题的解决方案是使用单向加密创建密码哈希值以存储在数据库中。当用户尝试对其提供的密码使用相同的加密进行登录时,请搜索数据库以查看是否存在具有相同用户 ID 和密码哈希的行。
You have two problems.
You are subject to SQL injection attack as described by other users. Solve that problem by sanitizing your input and/or using parameterized queries.
You should neither store nor transmit plain text passwords. Why? See this story on Slashdot. The solution to this problem is to use one-way encryption to create a password hash to store in the database. When the user tries to log in use the same encryption on the password he or she provides, then search your database to see if a row exists with the same userid and password hash.
在 SQL 查询中使用参数。他们会自动阻止这种情况发生。 C# 中是这样的:
这不仅适用于 C#,而且基本上所有现代数据库系统和语言都支持参数化查询 <- google 一下。
其次,您的第一个查询可以更改为:
然后计算返回的行数,如果为 0,则用户输入了错误的密码。
Use parameters in SQL queries. They automatically prevent this. Something like this in C#:
This not only applies to C#, but basically all modern DB systems and languages support parameterized queries <- google it.
And second, your first query can be changed to:
Then just count how many rows you got returned, if it's 0, then the user entered the wrong password.