sql injection 정의 및 구현
DESCRIPTION
SQL Injection 정의 및 구현TRANSCRIPT
![Page 1: Sql injection 정의 및 구현](https://reader036.vdocuments.pub/reader036/viewer/2022082410/559048601a28ab2f2c8b4687/html5/thumbnails/1.jpg)
SQL Injection 구현 및 방어
th!nkh@ck-hi
café.thinkhack.org
October 3, 2014
![Page 2: Sql injection 정의 및 구현](https://reader036.vdocuments.pub/reader036/viewer/2022082410/559048601a28ab2f2c8b4687/html5/thumbnails/2.jpg)
SQL Injection 정의 및 구현
SQL Injection 이란 ?-웹 서비스는 효율적인 서비스제공을 위해서 웹 서버 어플리케이션과 데이터베이스가 연동되어있다 .이때 데이터베이스 질의어 (SQL Query) 를 이용하여 입력된 데이터에 대한 검증을 받게 된다 .이때 사용자가 악의적인 입력 값을 적용하여 정상적인 SQL 문이 오작동하게 하는 공격기법이다 .
![Page 3: Sql injection 정의 및 구현](https://reader036.vdocuments.pub/reader036/viewer/2022082410/559048601a28ab2f2c8b4687/html5/thumbnails/3.jpg)
SQL Injection 구현
구현에 필요한 웹 컨테이너 및 언어 , DB-Tomcat- JSP- Mysql
![Page 4: Sql injection 정의 및 구현](https://reader036.vdocuments.pub/reader036/viewer/2022082410/559048601a28ab2f2c8b4687/html5/thumbnails/4.jpg)
SQL Injection 구현
![Page 5: Sql injection 정의 및 구현](https://reader036.vdocuments.pub/reader036/viewer/2022082410/559048601a28ab2f2c8b4687/html5/thumbnails/5.jpg)
SQL Injection 구현
![Page 6: Sql injection 정의 및 구현](https://reader036.vdocuments.pub/reader036/viewer/2022082410/559048601a28ab2f2c8b4687/html5/thumbnails/6.jpg)
SQL Injection 구현
SELECT * FROM injection where id=‘x’ && password=‘y’;
SELECT * FROM injection where id=‘injection’ or ‘1’=‘1’--
![Page 7: Sql injection 정의 및 구현](https://reader036.vdocuments.pub/reader036/viewer/2022082410/559048601a28ab2f2c8b4687/html5/thumbnails/7.jpg)
SQL Injection 구현
SELECT * FROM injection where id=‘x’ && pass-word=‘y’;
SELECT * FROM injection where id=‘test’--
![Page 8: Sql injection 정의 및 구현](https://reader036.vdocuments.pub/reader036/viewer/2022082410/559048601a28ab2f2c8b4687/html5/thumbnails/8.jpg)
SQL Injection 구현 소스
![Page 9: Sql injection 정의 및 구현](https://reader036.vdocuments.pub/reader036/viewer/2022082410/559048601a28ab2f2c8b4687/html5/thumbnails/9.jpg)
SQL Injection 방어- 문자열 필터링
1. indexOf()
![Page 10: Sql injection 정의 및 구현](https://reader036.vdocuments.pub/reader036/viewer/2022082410/559048601a28ab2f2c8b4687/html5/thumbnails/10.jpg)
SQL Injection 방어- 문자열 필터링 ( 대문자 )
1. replace()
![Page 11: Sql injection 정의 및 구현](https://reader036.vdocuments.pub/reader036/viewer/2022082410/559048601a28ab2f2c8b4687/html5/thumbnails/11.jpg)
SQL Injection 방어- 문자열 필터링 ( 대문자 )
1. PreparedStatement