Detect SQL Injection

前端 未结 5 1440

I came to a company that already has a fully grown project... but coders that worked here before me didn\'t follow conventions and didn\'t use parametrized SQL queries... as

5条回答
  •  孤城傲影
    2021-01-05 17:06

    There is no silver bullet here. SQL injections can come in many obscured forms and trying to detect them using regular expressions or another form in your firewall, or application can protect you from the most simple forms of SQL injection, but an experienced hacker will simply get through. As AdaTheDev already noted, automated tools that inspect your code, such as the MS Code Analysis Tool, might give you a kick start, but again there is no silver bullet. You will need to go through your whole application.

    When this is a lot of work, you should make a plan. First of all, make a guideline that states how these types of attacks can be mitigated. Also try to divide your application in parts, from very critical to less critical. This way you can better estimate the costs of repairing the bugs and can let management decide what it may cost and thus what risk they are willing to take. Parts of your application that unauthenticated users can access are most critical. If everybody (in the world) can create an account in your application, all functionality that these users can access is highly critical. The smaller the population and the more you trust those users, the smaller the risk. You perhaps can get away with fixing these parts later. But never underestimate a good hacker. He/she might be able to compromise the account of a user with high privilege and start testing for SQL injection possibilities using that account.

    Always try to have a defense in depth strategy, have multiple (or many) layers of defence. For instance, do never connect with your database as SA from within your application. Create an account with just the privileges that are needed and perhaps even create multiple SQL accounts, one account per role (or per a group of roles). While restricting the privileges to the database help a lot in mitigating the risk, again, don't bet on it as a single layer of defense. This article for instance, explains how a hacker can abuse a lower privilege account when she's able to do SQL injection.

    It is admirable that you ask this question here, because I’ve seen many developers in the past who just don’t want to know, which is very scary, because the business often trusts its developers (which is scary as well).

    I wish you the best of luck.

提交回复
热议问题