How are SQL Injection attacks prevented?
All components & protocols access data through the DAL ( data access layer)
SQL injection is a code injection technique, used to attack data driven applications like stSoftware.
stSoftware systems support a number of web accessible protocols including:-
- ReST
- SOAP
- Web Forms
- GWT RPC
All protocols access the underlying data through the DAL ( data access layer). There is NO direct access to the underlying data store no matter which protocol is used. Each protocol accepts the request to read or write data and then perform the protocols validations and then passes the request on to the DAL to execute the request which in turn validates the request, checks the user's access and perform any validations before returning the result.
SQL & XSS attacks are automatically tested for each of the supported protocols. Listed below are the standard SQL injection strings attempted.
| SQL Injection String |
| "&%00<!--\'';你好 |
| \'; DROP TABLE users; -- |
| ''; |
| \' |
| \''; \'';:Contact-Delete |
| '\''; \''; |
| \u00F0\u009F\u00BF\u00B1\u00F0\u00AF\u00BF\u00B2\u00F0\u00BF\u00BF\u00B3\u00F1\u008F\u00BF\u00B4\u00F1\u009F\u00BF\u00B5\u00F1\u00AF\u00BF\u00B6\u00F4\u008F\u00BF\u00B7 |
| \u00EF\u00BB\u00BF\u00FF\u00FE\u00FF\u00FF\u00FE\u00FF\u2060 |
| \u001E\u0100 |
| \u001E\u00f0\u00f1\u00f2\u00f3\u00f4\u00f5\u00f6\u00f7\u00f8\u00f9\u00fa\u00fb\u00fc\u00fd\u00fe\u00ff |
| \uE000 |
| \uD7FF |
| \ufffe |
| € |
| €123 |
| &€123 |
| ';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//alert(String.fromCharCode(88,83,83))//;alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT> |
| ' or 1=1;-- |
| {? = CALL addJdbcExampleTrade (1, 'john', 32, '2004-10-22') } |
| {call ...} |
| {?= call ...} |
| {fn ...} |
| {oj ...} |
| {d ...} |
| {t ...} |
| {ts ...} |
| ©¡¢£¤¥¦§¨ª¬®°º»¼½¾¿ ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏ ÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞß àáâãäåæçèéêëìíîï ðñòóôõö÷øùúûüýþÿ |
| abc'$ |
| '''''""""$$$$\\\'\$$ |
| $$$$$ |
| $global.id$ |
| \$ |
| ==== |
| +++ |
| # |
| #23; |
| #abc; |
| #abc;#23;########;# |
| RT @ClimateGroup - RT @EurActiv: #23;Solar #23;recession signals end of \''Wild West\'' gold rush http://t.co/GHFL9g2p #23;EU #23;renewable #23;energy |
| \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ |
| Bob&Sons |
| Mr 5%3 |
| My & name |
| hacker '; games |
|  |
| you+me |
| -- ;DELETE FROM Login; |
| "" |
| /*comment */ |
| SELECT /*!32302 1/0, */ 1 FROM tablename |
| ID: 10; DROP TABLE members /* |
| SELECT /*!32302 1/0, *\/ 1 FROM tablename |
| admin' -- |
| admin' # |
| admin'/* |
| ' or 1=1 or ''=' |
| ' or 1=1-- |
| ' or 1=1# |
| ' or 1=1/* |
| ') or '1'='1-- |
| ') or ('1'='1-- |
| " or 1=1-- |
| or 1=1-- |
| ' or 1=1 or ' '= ' |
| >]]></Description> |
| <Description xmlns=""><![CDATA[ |
| </Resource> |
| <!-->]]><![CDATA[ |
| 'or 1=1 or ''=' |
| PETA: Seaworld's Use of Whales Violates the 13th Amendment. |
| PETA: Seaworld\'s Use of Whales Violates the 13th Amendment. |
| PETA: Seaworld''s Use of Whales Violates the 13th Amendment. |
| PETA: Seaworld\''s Use of Whales Violates the 13th Amendment. |
| ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' |
| INSERT INTO st_person ( code,name,notes) Values ( 'XYZ','Nigel','') |
| < |
| %3C |
| < |
| < |
| < |
| < |
| < |
| < |
| < |
| < |
| < |
| < |
| < |
| < |
| < |
| < |
| < |
| < |
| < |
| < |
| < |
| < |
| < |
| < |
| < |
| < |
| < |
| < |
| < |
| < |
| < |
| < |
| < |
| < |
| < |
| < |
| < |
| < |
| < |
| < |
| < |
| < |
| \x3c |
| \x3C |
| \u003c |
| \u003C |
| DROP sampletable;-- |
| DROP sampletable;# |
| admin'-- |
| DROP/*comment*/sampletable |
| DR/**/OP/*bypass blacklisting*/sampletable |
| SELECT/*avoid-spaces*/password/**/FROM/**/Members |
| ID: /*!32302 10*/ |
| SELECT IF(1=1,'true','false') |
| IF (1=1) SELECT 'true' ELSE SELECT 'false' |
| CHAR(0x66) |
| 0x5045 |
| 0x50 + 0x45 |
| SELECT login + '-' + password FROM members |
| SELECT login || '-' || password FROM members |
| SELECT CONCAT(login, password) FROM members |
| 0x457578 |
| SELECT CONCAT('0x',HEX('c:\boot.ini')) |
| SELECT CONCAT(CHAR(75),CHAR(76),CHAR(77)) (M) |
| SELECT CHAR(75)+CHAR(76)+CHAR(77) (S) |
| SELECT LOAD_FILE(0x633A5C626F6F742E696E69) (M) |
| SELECT ASCII('a') |
| SELECT CHAR(64) |
| ' UNION SELECT 1, 'anotheruser', 'doesnt matter', 1-- |
| SELECT header FROM news UNION ALL SELECT name COLLATE SQL_Latin1_General_Cp1254_CS_AS FROM members |
| 1234 ' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055 |
| ' HAVING 1=1 -- |
| ' GROUP BY table.columnfromerror1 HAVING 1=1 -- |
| ORDER BY 1-- |
| ' union select sum(columntofind) from users-- |
| SELECT * FROM Table1 WHERE id = -1 UNION ALL SELECT null, null, NULL, NULL, convert(image,1), null, null,NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULl, NULL-- |
| declare @o int |
| EXEC master.dbo.xp_cmdshell 'cmd.exe dir c:' |
| xp_regaddmultistring |
| xp_regdeletekey |
| xp_regdeletevalue |
| SELECT * FROM master..sysprocesses /*WHERE spid=@@SPID*/ |
| DECLARE @result int; EXEC @result = xp_cmdshell 'dir *.exe';IF (@result = 0) SELECT 0 ELSE SELECT 1/0 |
| WAITFOR DELAY '0:0:10'-- |
| IF (SELECT * FROM login) BENCHMARK(1000000,MD5(1)) |
| SELECT pg_sleep(10); |
| product.asp?id=5-1 |
| MD5() |
| SHA1() |
| PASSWORD() |
| ENCODE() |
| COMPRESS() |
| ROW_COUNT() |
| SCHEMA() |
| VERSION() |
| @@version |