许 志强

许 志强

1656082200

如何防止 SQL 盲注

数据库领域的主要问题之一是 SQL 注入——它的普遍程度甚至连OWASP 都将其列为针对 Web 应用程序的第一大威胁SQL 注入可以有多种类型,其中一种是盲 SQL 注入——在这篇博文中,我们将了解这种攻击的危害有多大。

什么是 SQL 注入?它的类别是什么?

正如我们在之前的一些博客文章中已经告诉您的那样,SQL 注入是针对数据库的主要攻击——当用户提供的输入未经清理和正确地直接转发到数据库时,应用程序很容易受到 SQL 注入的攻击处理。

由于以下几个关键原因,SQL 注入的类别非常重要:

  • 不同类型的 SQL 注入以不同的方式影响 Web 应用程序。
  • 某些类型的 SQL 注入比其他类型更容易被阻止。
  • 某些类型的 SQL 注入直接取决于我们的 Web 应用程序的功能(例如,成功的 SQL 盲注攻击的结果直接取决于我们的 Web 应用程序是否显示错误。)
  • 某些类型的 SQL 注入攻击具有子类型(想想基于时间的盲 SQL 注入)——这些子类型也可能为恶意方达成或破坏交易,因为它们直接依赖于特定因素,在此情况下,无法控制,所以它们是直接的——时间。

SQL注入有几个类别:

如您所见,SQL 注入的类别并不多——然而,虽然经典 SQL 注入使用最频繁,但当经典 SQL 注入攻击不起作用时,攻击者通常会转向 SQL 的盲区——他们尝试使用盲 SQL 注入攻击应用程序。

SQL盲注王国

将您的应用程序想象成一座城堡。我们知道,这可能看起来至少有点奇怪,但请耐心等待。现在,将您的 Web 应用程序想象成一座城堡。完毕?好吧,想象一下一群拿着长矛的盲人士兵正在攻击它,他们的长矛经常错过城堡的防御工事。你怎么看——拿着长矛的盲人士兵有多少时间来完成你城堡的防御工作?这需要一段时间,但士兵们最终会度过难关。这是真的——一旦士兵通过,你存储在城堡中的宝藏(你的网络应用程序中的数据)就是仙人掌——他们会偷走一切。

士兵装备精良,即使他们是盲人,他们最终也会为你提供防御——哦,不!这就是盲注 SQL 注入在现实世界中的工作方式,让我们再举一个例子:

  1. 攻击者通过在某个参数后添加单引号发现您的 Web 应用程序容易受到 SQL 盲注形式的攻击——然后您的 Web 应用程序返回错误。
  2. 攻击者不断制作 SQL 查询——它们都没有返回任何错误。然而,他很快发现,如果他执行一种类型的查询,您的 Web 应用程序内部的数据会显示在屏幕上,而在他执行另一种类型之后,数据就会消失。“啊哈!”——攻击者想。“明白了。有一个盲目的 SQL 注入漏洞。”

您可能已经注意到,盲 SQL 注入就是这样一种攻击,它以查询的形式向数据库询问“问题”,并尝试根据 Web 应用程序上的响应来确定它们是真还是假。通过运行如下查询最常检测到 SQL 盲注:

如果 Web 应用程序返回“肯定”响应(意味着它返回网页上的可见差异),则 Web 应用程序容易受到这种攻击,而如果应用程序无动于衷,则可能不会。在第一种情况下,攻击者会知道您的数据库有问题,并试图进一步渗透您的防御。于是游戏开始了——攻击者试图注意到你的 Web 应用程序愿意返回什么样的响应。一个查询返回一个带有结果的页面——好的,他进一步探索,一个查询返回一个空白页面——嗯……他改变了查询并再次尝试。因此,游戏将继续进行,直到从您的数据库中提取了邪恶方感兴趣的所有数据。是的,这样的查询需要很长时间(这也是盲目 SQL 注入最广为人知的原因之一),但请记住,尽管时间可能很可悲,但可能不会阻止旨在破坏您的系统的攻击者尽可能多地窃取您的所有数据。

一些 Web 应用程序甚至可能过滤 GET 或 POST 参数中的部分,这意味着它们可能“捕获”正在使用的单引号或双引号,但这只是难题的一部分。这样的功能通常是 Web 应用程序防火墙类型功能的一部分——我们已经在我们的另一篇文章中讨论了 WAF(Web 应用程序防火墙的缩写) ,所以我们不会详细介绍,但请记住Web 应用程序防火墙可以抵御从拒绝服务到 SQL 注入等各种攻击。您可以通过访问世界上最大和最快的数据泄露搜索引擎之一 - BreachDirectory 的网站找到 Web 应用程序防火墙的实时示例,但现在,让我们回到主题。

SQL 盲注的类型

有两种类型的盲 SQL 注入——基于布尔值和基于时间。基于布尔的 SQL 盲注依赖于向数据库发送某个 SQL 查询,通过查看应用程序的响应来确定查询是否返回TRUE结果FALSE,而基于时间的 SQL 注入依赖于时间——一个查询用于基于盲时间的 SQL 注入的 Web 应用程序将强制数据库在返回响应之前等待几秒钟,如果在指定的确切秒数过去后返回响应,攻击者将能够确定应用程序容易受到盲目的、基于时间的 SQL 注入的影响。以下是这两种类型之间的一些主要区别和相似之处:

防止 SQL 盲注

与普遍的看法相反,防止盲目的 SQL 注入并不需要太多的技巧或努力——可以使用基本的安全措施来防止它。是的,就是这么简单!我们可以通过在 PHP 中使用准备好的数据对象 (PDO) 来实现这一点(它们将用户提供的输入和查询的其余部分分开,因此任何类型的 SQL 注入都是不可能的),通过使用自动测试解决方案来告知我们是否或者我们的应用程序是否容易受到 SQLi 的影响,或者,当然,使用白名单安全控制——作为开发人员,我们应该养成过滤和清理以某种方式与我们的数据交互的每一种参数的习惯。通过这样做,我们可以通过防止各种 SQL 注入攻击和其他类型的安全问题,将我们的 Web 应用程序置于下一个安全级别。

一旦我们将 Web 应用程序置于下一个安全级别,我们也必须注意自己账户的安全——我们可以通过BreachDirectory进行搜索,看看我们的任何账户是否存在风险,并根据给出的建议采取行动给我们。一旦我们这样做了,我们的帐户也应该是安全的。赢——赢!

概括

盲 SQL 注入是一种 SQL 注入,攻击者无法弄清楚我们的 Web 应用程序是如何“思考”的,因此他们必须依赖 Web 应用程序给我们的输出或依赖时间,具体取决于哪种方法(基于布尔值或基于时间)正在使用中。当依赖基于布尔的 SQL 注入时,攻击者依赖于 Web 应用程序可能看起来与平常不同的事实,而在使用基于时间的 SQL 注入时,攻击者严重依赖时间。

无论攻击者选择使用哪种类型的 SQL 注入,都没有一种类型可以为攻击者提供快速获取数据的方法——攻击者实际上可能会花费数小时、数天甚至数月来获取他感兴趣的数据,但一旦攻击成功完成后,通常会在暗网上以数千美元的价格卖给其他不法分子,循环往复。

为了防止盲目的 SQL 注入,请确保采用安全的编码实践,不要将用户输入直接转发到数据库中,并优化 Web 应用程序中错误的返回方式。

此外,请确保通过已知的数据泄露搜索引擎(例如BreachDirectory )运行搜索,以确保您的数据在白天和晚上以及直到下一次都是安全的。下一篇博客见! 

来源:https ://betterprogramming.pub/blind-sql-injection-threat-or-childs-play-6080d955a933

#sql 

What is GEEK

Buddha Community

如何防止 SQL 盲注
Cayla  Erdman

Cayla Erdman

1594369800

Introduction to Structured Query Language SQL pdf

SQL stands for Structured Query Language. SQL is a scripting language expected to store, control, and inquiry information put away in social databases. The main manifestation of SQL showed up in 1974, when a gathering in IBM built up the principal model of a social database. The primary business social database was discharged by Relational Software later turning out to be Oracle.

Models for SQL exist. In any case, the SQL that can be utilized on every last one of the major RDBMS today is in various flavors. This is because of two reasons:

1. The SQL order standard is genuinely intricate, and it isn’t handy to actualize the whole standard.

2. Every database seller needs an approach to separate its item from others.

Right now, contrasts are noted where fitting.

#programming books #beginning sql pdf #commands sql #download free sql full book pdf #introduction to sql pdf #introduction to sql ppt #introduction to sql #practical sql pdf #sql commands pdf with examples free download #sql commands #sql free bool download #sql guide #sql language #sql pdf #sql ppt #sql programming language #sql tutorial for beginners #sql tutorial pdf #sql #structured query language pdf #structured query language ppt #structured query language

Cayla  Erdman

Cayla Erdman

1596441660

Welcome Back the T-SQL Debugger with SQL Complete – SQL Debugger

When you develop large chunks of T-SQL code with the help of the SQL Server Management Studio tool, it is essential to test the “Live” behavior of your code by making sure that each small piece of code works fine and being able to allocate any error message that may cause a failure within that code.

The easiest way to perform that would be to use the T-SQL debugger feature, which used to be built-in over the SQL Server Management Studio tool. But since the T-SQL debugger feature was removed completely from SQL Server Management Studio 18 and later editions, we need a replacement for that feature. This is because we cannot keep using the old versions of SSMS just to support the T-SQL Debugger feature without “enjoying” the new features and bug fixes that are released in the new SSMS versions.

If you plan to wait for SSMS to bring back the T-SQL Debugger feature, vote in the Put Debugger back into SSMS 18 to ask Microsoft to reintroduce it.

As for me, I searched for an alternative tool for a T-SQL Debugger SSMS built-in feature and found that Devart company rolled out a new T-SQL Debugger feature to version 6.4 of SQL – Complete tool. SQL Complete is an add-in for Visual Studio and SSMS that offers scripts autocompletion capabilities, which help develop and debug your SQL database project.

The SQL Debugger feature of SQL Complete allows you to check the execution of your scripts, procedures, functions, and triggers step by step by adding breakpoints to the lines where you plan to start, suspend, evaluate, step through, and then to continue the execution of your script.

You can download SQL Complete from the dbForge Download page and install it on your machine using a straight-forward installation wizard. The wizard will ask you to specify the installation path for the SQL Complete tool and the versions of SSMS and Visual Studio that you plan to install the SQL Complete on, as an add-in, from the versions that are installed on your machine, as shown below:

Once SQL Complete is fully installed on your machine, the dbForge SQL Complete installation wizard will notify you of whether the installation was completed successfully or the wizard faced any specific issue that you can troubleshoot and fix easily. If there are no issues, the wizard will provide you with an option to open the SSMS tool and start using the SQL Complete tool, as displayed below:

When you open SSMS, you will see a new “Debug” tools menu, under which you can navigate the SQL Debugger feature options. Besides, you will see a list of icons that will be used to control the debug mode of the T-SQL query at the leftmost side of the SSMS tool. If you cannot see the list, you can go to View -> Toolbars -> Debugger to make these icons visible.

During the debugging session, the SQL Debugger icons will be as follows:

The functionality of these icons within the SQL Debugger can be summarized as:

  • Adding Breakpoints to control the execution pause of the T-SQL script at a specific statement allows you to check the debugging information of the T-SQL statements such as the values for the parameters and the variables.
  • Step Into is “navigate” through the script statements one by one, allowing you to check how each statement behaves.
  • Step Over is “execute” a specific stored procedure if you are sure that it contains no error.
  • Step Out is “return” from the stored procedure, function, or trigger to the main debugging window.
  • Continue executing the script until reaching the next breakpoint.
  • Stop Debugging is “terminate” the debugging session.
  • Restart “stop and start” the current debugging session.

#sql server #sql #sql debugger #sql server #sql server stored procedure #ssms #t-sql queries

Cayla  Erdman

Cayla Erdman

1596448980

The Easy Guide on How to Use Subqueries in SQL Server

Let’s say the chief credit and collections officer asks you to list down the names of people, their unpaid balances per month, and the current running balance and wants you to import this data array into Excel. The purpose is to analyze the data and come up with an offer making payments lighter to mitigate the effects of the COVID19 pandemic.

Do you opt to use a query and a nested subquery or a join? What decision will you make?

SQL Subqueries – What Are They?

Before we do a deep dive into syntax, performance impact, and caveats, why not define a subquery first?

In the simplest terms, a subquery is a query within a query. While a query that embodies a subquery is the outer query, we refer to a subquery as the inner query or inner select. And parentheses enclose a subquery similar to the structure below:

SELECT 
 col1
,col2
,(subquery) as col3
FROM table1
[JOIN table2 ON table1.col1 = table2.col2]
WHERE col1 <operator> (subquery)

We are going to look upon the following points in this post:

  • SQL subquery syntax depending on different subquery types and operators.
  • When and in what sort of statements one can use a subquery.
  • Performance implications vs. JOINs.
  • Common caveats when using SQL subqueries.

As is customary, we provide examples and illustrations to enhance understanding. But bear in mind that the main focus of this post is on subqueries in SQL Server.

Now, let’s get started.

Make SQL Subqueries That Are Self-Contained or Correlated

For one thing, subqueries are categorized based on their dependency on the outer query.

Let me describe what a self-contained subquery is.

Self-contained subqueries (or sometimes referred to as non-correlated or simple subqueries) are independent of the tables in the outer query. Let me illustrate this:

-- Get sales orders of customers from Southwest United States 
-- (TerritoryID = 4)

USE [AdventureWorks]
GO
SELECT CustomerID, SalesOrderID
FROM Sales.SalesOrderHeader
WHERE CustomerID IN (SELECT [CustomerID]
                     FROM [AdventureWorks].[Sales].[Customer]
                     WHERE TerritoryID = 4)

As demonstrated in the above code, the subquery (enclosed in parentheses below) has no references to any column in the outer query. Additionally, you can highlight the subquery in SQL Server Management Studio and execute it without getting any runtime errors.

Which, in turn, leads to easier debugging of self-contained subqueries.

The next thing to consider is correlated subqueries. Compared to its self-contained counterpart, this one has at least one column being referenced from the outer query. To clarify, I will provide an example:

USE [AdventureWorks]
GO
SELECT DISTINCT a.LastName, a.FirstName, b.BusinessEntityID
FROM Person.Person AS p
JOIN HumanResources.Employee AS e ON p.BusinessEntityID = e.BusinessEntityID
WHERE 1262000.00 IN
    (SELECT [SalesQuota]
    FROM Sales.SalesPersonQuotaHistory spq
    WHERE p.BusinessEntityID = spq.BusinessEntityID)

Were you attentive enough to notice the reference to BusinessEntityID from the Person table? Well done!

Once a column from the outer query is referenced in the subquery, it becomes a correlated subquery. One more point to consider: if you highlight a subquery and execute it, an error will occur.

And yes, you are absolutely right: this makes correlated subqueries pretty harder to debug.

To make debugging possible, follow these steps:

  • isolate the subquery.
  • replace the reference to the outer query with a constant value.

Isolating the subquery for debugging will make it look like this:

SELECT [SalesQuota]
    FROM Sales.SalesPersonQuotaHistory spq
    WHERE spq.BusinessEntityID = <constant value>

Now, let’s dig a little deeper into the output of subqueries.

Make SQL Subqueries With 3 Possible Returned Values

Well, first, let’s think of what returned values can we expect from SQL subqueries.

In fact, there are 3 possible outcomes:

  • A single value
  • Multiple values
  • Whole tables

Single Value

Let’s start with single-valued output. This type of subquery can appear anywhere in the outer query where an expression is expected, like the WHERE clause.

-- Output a single value which is the maximum or last TransactionID
USE [AdventureWorks]
GO
SELECT TransactionID, ProductID, TransactionDate, Quantity
FROM Production.TransactionHistory
WHERE TransactionID = (SELECT MAX(t.TransactionID) 
                       FROM Production.TransactionHistory t)

When you use a MAX() function, you retrieve a single value. That’s exactly what happened to our subquery above. Using the equal (=) operator tells SQL Server that you expect a single value. Another thing: if the subquery returns multiple values using the equals (=) operator, you get an error, similar to the one below:

Msg 512, Level 16, State 1, Line 20
Subquery returned more than 1 value. This is not permitted when the subquery follows =, !=, <, <= , >, >= or when the subquery is used as an expression.

Multiple Values

Next, we examine the multi-valued output. This kind of subquery returns a list of values with a single column. Additionally, operators like IN and NOT IN will expect one or more values.

-- Output multiple values which is a list of customers with lastnames that --- start with 'I'

USE [AdventureWorks]
GO
SELECT [SalesOrderID], [OrderDate], [ShipDate], [CustomerID]
FROM Sales.SalesOrderHeader
WHERE [CustomerID] IN (SELECT c.[CustomerID] FROM Sales.Customer c
INNER JOIN Person.Person p ON c.PersonID = p.BusinessEntityID
WHERE p.lastname LIKE N'I%' AND p.PersonType='SC')

Whole Table Values

And last but not least, why not delve into whole table outputs.

-- Output a table of values based on sales orders
USE [AdventureWorks]
GO
SELECT [ShipYear],
COUNT(DISTINCT [CustomerID]) AS CustomerCount
FROM (SELECT YEAR([ShipDate]) AS [ShipYear], [CustomerID] 
      FROM Sales.SalesOrderHeader) AS Shipments
GROUP BY [ShipYear]
ORDER BY [ShipYear]

Have you noticed the FROM clause?

Instead of using a table, it used a subquery. This is called a derived table or a table subquery.

And now, let me present you some ground rules when using this sort of query:

  • All columns in the subquery should have unique names. Much like a physical table, a derived table should have unique column names.
  • ORDER BY is not allowed unless TOP is also specified. That’s because the derived table represents a relational table where rows have no defined order.

In this case, a derived table has the benefits of a physical table. That’s why in our example, we can use COUNT() in one of the columns of the derived table.

That’s about all regarding subquery outputs. But before we get any further, you may have noticed that the logic behind the example for multiple values and others as well can also be done using a JOIN.

-- Output multiple values which is a list of customers with lastnames that start with 'I'
USE [AdventureWorks]
GO
SELECT o.[SalesOrderID], o.[OrderDate], o.[ShipDate], o.[CustomerID]
FROM Sales.SalesOrderHeader o
INNER JOIN Sales.Customer c on o.CustomerID = c.CustomerID
INNER JOIN Person.Person p ON c.PersonID = p.BusinessEntityID
WHERE p.LastName LIKE N'I%' AND p.PersonType = 'SC'

In fact, the output will be the same. But which one performs better?

Before we get into that, let me tell you that I have dedicated a section to this hot topic. We’ll examine it with complete execution plans and have a look at illustrations.

So, bear with me for a moment. Let’s discuss another way to place your subqueries.

#sql server #sql query #sql server #sql subqueries #t-sql statements #sql

Ruth  Nabimanya

Ruth Nabimanya

1621850444

List of Available Database for Current User In SQL Server

Introduction

When working in the SQL Server, we may have to check some other databases other than the current one which we are working. In that scenario we may not be sure that does we have access to those Databases?. In this article we discuss the list of databases that are available for the current logged user in SQL Server

Get the list of database
Conclusion

#sql server #available databases for current user #check database has access #list of available database #sql #sql query #sql server database #sql tips #sql tips and tricks #tips

Introduction to Recursive CTE

This article will introduce the concept of SQL recursive. Recursive CTE is a really cool. We will see that it can often simplify our code, and avoid a cascade of SQL queries!

Why use a recursive CTE ?

The recursive queries are used to query hierarchical data. It avoids a cascade of SQL queries, you can only do one query to retrieve the hierarchical data.

What is recursive CTE ?

First, what is a CTE? A CTE (Common Table Expression) is a temporary named result set that you can reference within a SELECT, INSERT, UPDATE, or DELETE statement. For example, you can use CTE when, in a query, you will use the same subquery more than once.

A recursive CTE is one having a subquery that refers to its own name!

Recursive CTE is defined in the SQL standard.

How to make a recursive CTE?

A recursive CTE has this structure:

  • The WITH clause must begin with “WITH RECURSIVE”
  • The recursive CTE subquery has two parts, separated by “UNION [ALL]” or “UNION DISTINCT”:
  • The first part produces the initial row(s) for the CTE. This SELECT does not refer to the CTE name.
  • The second part recurses by referring to the CTE name in its FROM clause.

Practice / Example

In this example, we use hierarchical data. Each row can have zero or one parent. And it parent can also have a parent etc.

Create table test (id integer, parent_id integer);

insert into test (id, parent_id) values (1, null);

insert into test (id, parent_id) values (11, 1);
insert into test (id, parent_id) values (111, 11);

insert into test (id, parent_id) values (112, 11);

insert into test (id, parent_id) values (12, 1);

insert into test (id, parent_id) values (121, 12);

For example, the row with id 111 has as ancestors: 11 and 1.

Before knowing the recursive CTE, I was doing several queries to get all the ancestors of a row.

For example, to retrieve all the ancestors of the row with id 111.

While (has parent)

	Select id, parent_id from test where id = X

With recursive CTE, we can retrieve all ancestors of a row with only one SQL query :)

WITH RECURSIVE cte_test AS (
	SELECT id, parent_id FROM test WHERE id = 111
	UNION 
	SELECT test.id, test.parent_id FROM test JOIN cte_test ON cte_test.id = test.parent_id

) SELECT * FROM cte_test

Explanations:

  • “WITH RECURSIVE”:

It indicates we will make recursive

  • “SELECT id, parent_id FROM test WHERE id = 111”:

It is the initial query.

  • “UNION … JOIN cte_test” :

It is the recursive expression! We make a jointure with the current CTE!

Replay this example here

#sql #database #sql-server #sql-injection #writing-sql-queries #sql-beginner-tips #better-sql-querying-tips #sql-top-story