处理SQL注入攻击

Question

当报告SQL注入攻击时，事件处理程序应该做什么(或)？

1. 初始响应
2. 分析
3. 动作

目的是为我自己和我的团队制定一个程序指南。简明扼要，任何细节都会有帮助。

Answer 1

不是一个完整的过程，但它应该让你开始：

• 初始响应

- Verify that the reported vulnerability is legitimate, preferably in a production-safe manner
- See the [OWASP SQL Injection Testing guide](https://www.owasp.org/index.php/Testing_for_SQL_Injection_(OTG-INPVAL-005%29) for more information on how to do this

​

• 分析

- Determine the cause of the SQL Injection
- This is probably a location where user input is directly concatenated into a SQL query

​

• 动作

- The best defense against SQL Injection is to utilize [parameterized/prepared statements](https://en.wikipedia.org/wiki/Prepared_statement) instead of direct string concatenation when building a query based on user input.
- These statements provide a clear divide between **data** and **syntax**, so that user input is never treated as SQL syntax but instead treated as data
- How you do this will depend on the language and framework used in your application
- See the [OWASP SQL Injection Prevention Cheat Sheet](https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet) for more information on preventing SQL injection

​