Research on the security of web database

Some of the commercial data in the network database were posted online after the theft, and the price data of the company's commercial website were maliciously modified ... Similar cases, the Internet search for a bit, really a lot. The only reason for this is the attack on the Web database from the network. So, does the database in the Web environment have enough security to serve the enterprise? The answer is yes.

Web database is an application system based on Internet/intranet, because of the network openness and the security flaw of communication protocol, as well as the distributed characteristics of data storage and access and processing in the networked environment, the data transmitted on the Internet is easily damaged, stolen, tampered, transferred and lost. These hazards are usually caused by attacks on the network. Up to now, application-level intrusions against web databases have become increasingly rampant, such as SQL injection, Cross-site scripting attacks, and unauthorized user access. All of these intrusions are likely to bypass the foreground security system and attack the database system. How to ensure the security of web database has become a new topic.

First off, the user security management

Web database is a very complex system, it is difficult to properly configure and security maintenance, of course, must first of all to ensure that the database user's permissions security. When users use the Web to manipulate objects (tables, views, triggers, stored procedures, and so on) in a database, they must be authenticated through database access. Most database systems also have well-known default accounts and passwords to support all levels of access to database resources. Therefore, many important database systems are likely to be affected by the federation. User access permission refers to different users have different operating rights for different data objects. Access permissions consist of two elements: Data objects and Operation types. Defining the access rights of a user is to define what types of operations the user can perform on which data objects. Permissions are divided into system permissions and object permissions. System permissions are granted to certain database users by the DBA, and they can become database users only if they have system privileges. Object permissions are permissions that grant database users certain operations on certain data objects, which can be granted either by the DBA or by the creator of the data object.

Second Pass, define view

To define different views for different users, you can restrict the user's access scope. By using the view mechanism, the data that need to be kept secret is hidden from the users who do not have access to the data, which can provide a certain degree of security protection to the database. In practical application, the view mechanism is used in conjunction with the authorization mechanism, first, the view mechanism is used to screen some classified data, and then further authorize the view.

Third off, data encryption

Data security vulnerabilities are everywhere. Some confidential databases, business data and so on must prevent other people illegally access, modification, copy. How to ensure data security? Data encryption is the most widely used, lowest cost and relatively reliable method. Data encryption is an effective means to protect data from being stolen or modified in the process of storage and transmission. Data encryption system includes some factors, such as how to choose encryption algorithm, how high security level and how to collaborate among different algorithms. In different parts of the system, the balance between execution efficiency and security should be considered comprehensively. Because generally security is always at the expense of system efficiency. If you want to deliver secure data on two clients on the Internet, this requires that the client can judge each other's identity, the data passed must be encrypted, and the data can be detected when it is changed in transit.

IV, transaction management, and recovery

Transaction management and failback are primarily to deal with the natural factors that occur within the system, to ensure consistency and integrity of data and transactions.

The primary measure of recovery is logging and data replication. In the network database system, the distributed transaction should be decomposed into several sub transactions to execute each site, and each server must adopt a reasonable algorithm for distributed concurrency control and submission to ensure the integrity of the transaction. The results of every step that a transaction runs are recorded in the system log file, and important data is replicated, and the recovery of the transaction is performed accurately using a copy of the data based on the log file in the event of a failure.

V, database backup and recovery

Computers, like other devices, can fail. There are many reasons for computer failure, including disk failure, power failure, software failure, disaster failure and man-made destruction. Once this happens, data loss in the database can be caused. Therefore, the database system must take the necessary measures to ensure that the database can be restored when the failure occurs. The backup and recovery mechanism of database management system is to ensure that the database system can be restored to normal state when the database system fails. It is important to strengthen data backup, the database has a lot of key data, these data once destroyed the consequences of unimaginable, and this is often what the intruder really care about. Many administrators do not do well at this point, not backup incomplete, that is, backup is not timely. Data backup requires careful planning, a policy test to be implemented, and backup plans need to be constantly adjusted.

VI. Audit and tracking mechanism

Audit tracking mechanism refers to the system to set up the corresponding logging, especially the data update, delete, modify the record, in order to verify later. The contents of the log record can include the name of the operator, the password used, the user's IP address, logon time, operation content, and so on. If the data of the system is found to be corrupted, it can be held accountable according to the log record, or whether the password is stolen from the log record, so as to modify the password, reassign the permissions, and ensure the security of the system.

Seventh, focus on the server

In the three-tier architecture of the Web database, the data is stored in the database server, most of the transaction processing and business logic processing are carried out in the application server, and the application server requests the operation of the database. Theoretically, a business handler can be invoked either through a Web page to access the database, or by bypassing the business handler, and using some database client tools to log in directly to the database server and access the data in the operation. Therefore, the security settings of the database server are critical. Using IDs (Intrusion detection system) to protect the database security gradually popularized, this kind of security technology has applied the traditional network and the operating system level intrusion detection system (IDS) concept to the database. Application IDs provides proactive, SQL-protected and monitoring to protect pre-packaged or self-developed Web applications.