[Anti-injection] effective website anti-SQL injection (1)

A few years ago, most websites had SQL injection. SQL Injection has been recognized by the majority of website managers over the past few years, and can be noticed during website construction. However, why is the website currently included in EeSafe, is there a large part of SQL Injection problems? I don't think it's because webmasters don't know the dangers of SQL injection (I won't talk about the dangers here. You can go to Baidu and other search engines to find them ), this is due to the fact that the website has insufficient prevention and exploration of problems such as SQL injection. Here I will share with you the golden way to prevent SQL attacks, it should be able to contribute to the prevention of security vulnerabilities on the website. As for how to explore it, I will mention it later.

There is only one good way to prevent SQL injection (note that I am talking about "prevention" here), that is, to strengthen the security process during website development. Some people say that the hardware is used, what hardware should I ask? Firewall? Anti-DDOS attack? Security Gateway? These are basically hard to prevent, or some of them have the anti-injection function, but I will not say much about the effect. There is only one of the most effective methods I can use: To enhance the coding and security testing processes during website development. Due to the varying levels of programmers and experience in programming, the vast majority of programmers have not received security development training. Therefore, it is unrealistic to consider security issues during website development, this has led to a situation where so many websites still have a large number of security risks. Therefore, not only does it prevent SQL injection, but it also prevents any website security problems from starting with the development process and methods.

How can we prevent it and give you some suggestions and methods.

First, make sure that you want to assume the technical architecture of the website. As of now, the website recorded on the eesafe website security alliance uses 52% of architecture sites such as ASP or asp.net and MSSQL, and PHP + MYSQL accounts for 35%.

Secondly, different security solutions are implemented based on the selected architectures.

For example, if your website is developed using PHP + MYSQL (most popular CMS publishing systems currently use PHP ).

1. Strengthen the script layer (that is, strengthen anti-injection measures in PHP ). Use the magic_quotes_gpc option of Php. ini. During the development process, the addslashes function, intval function, htmlspecialchars function, and htmlentities function are used wherever user input is needed, and the javascript anti-injection vulnerability filtering function is added (the ready-made filter function can be used in the handler) and PHP anti-injection vulnerability filtering functions (available filter functions can be found at http://www.eesafe.com/bbs/thread-361-1-1.html ).

2. Strengthen the data layer (that is, strengthen anti-injection measures for databases ). When connecting a website to a database (that is, a connection pool), the user has normal permissions. Do not use the account of the Super User or database owner. Strictly check the type and format of the submitted data to ensure that the data type meets the requirements. For example, use the mysql database system function isnumberic () to determine whether the value uploaded to the database is a number. In addition, try to use sssl or ssh when connecting to the database.

Websites of other architectures are the same as those above, but the protection details of different architectures have different focuses. Of course, you can download and use the local version of the EeSafe website security detection tool, select the appropriate architecture for your website source code-level injection detection, the software provides for PHP, ASP ,. NET, JSP, and other architectures. And now you can get the official registration number through the application. Well, although there are many articles on the Internet about anti-SQL Injection for websites, I 'd like to use this article to give you a more comprehensive understanding of Anti-injection, it can help website development and operation.

Original article, hand-written, reprinted please indicate copyright ownership: EeSafe Website Security Alliance