Practice effective Web site anti-SQL injection method (i)

Intermediary transaction SEO diagnosis Taobao guest Cloud host technology Hall

A few years ago, most of the sites had SQL injections. SQL injection in the past few years can be said to have been recognized by the vast number of web site managers, and in the building site can be noted that the site to prevent injection of the problem, but why we eesafe now included in the site, or a large part of the problem of SQL injection? I don't think it's because webmasters don't know about the dangers of SQL injection. We can go to search engines such as Baidu to find), but because the site for such as SQL injection problems such as prevention and excavation is not deep enough, here I will prevent the Golden method of SQL and we exchange, Should be able to play a role in the site to prevent security vulnerabilities, as to how to explore, I will mention in the latter chapter.

A good way to prevent SQL injection (note, I said here is "guard") there is only one, that is to strengthen the Web site development process of the security process, someone said hardware, then I want to ask what hardware? DDoS anti-attack? These are basically not able to prevent, or the individual has the function of anti injection but as for the effect, I will not say more. The most effective way I have contacted is only one: to strengthen the code writing in the development process of the website and the security test process. Because of the uneven level and experience of programmers responsible for writing programs, the vast majority of programmers have not received security development training, so in the process of web development to go to security considerations is not realistic, which also caused so many sites have a lot of security problems, so not only to prevent SQL injection , to prevent any Web site security issues from the development process and methods to start.

Then how to prevent, give you a few suggestions and methods.

First clear yourself to assume the technical framework of the site, as issued in the Eesafe Web Site Security Alliance site included in the use of ASP or asp.net plus mssql, such as the framework station 52%,PHP+MYSQL accounted for 35%.

Secondly, the different security solutions are made according to the different architectures chosen.

For example, if your site is developed using Php+mysql (now popular most CMS publishing systems are PHP).

1. Strengthen the script layer (that is, strengthen the anti-injection method in PHP). Use the php.ini magic_quotes_gpc option. The Addslashes function, intval function, htmlspecialchars function, htmlentities function are used in the development process where the user input needs to be accepted, and JavaScript anti-injection vulnerability filtering function is added ( out-of-the-Box filtering functions can be found in the Eesafe network security Exchange area and PHP Anti-injection vulnerability filtering functions (out-of-the-box filtering functions can be found in the Eesafe Network security communication area).

2. Strengthen the data layer (i.e., the database to strengthen the means of prevention of injection). Users with normal permissions when connecting to a Web site and database (that is, connection pooling) do not use the Superuser or database owner's account. Rigorously check the type and format of the submitted data to ensure that the data types meet the requirements, such as using the MySQL database system function isnumberic () to determine whether the values uploaded to the database are numbers. Also try to use SSSL or SSH when connecting to the database.

Other frames of the Web site are the same as above, but different details of the framework to guard against the different emphasis. Of course, you can download the local version of the Eesafe Web site Security Detection Tool, choose the appropriate framework for your site to the source code level of injection detection, the software provides for php,asp,.net,jsp and many other architectures of detection. And now you can apply for the official version of the registration number. OK, although there are many articles on the Web site to prevent SQL injection, but I think through this article you will have a more comprehensive understanding of the prevention of injection, to the development and operation of the site to bring help.

Original article, Pure hand Dozen, reprint please specify the copyright belongs to: Eesafe website Security Alliance

Reprint please indicate the original address in the form of link: Eesafe Network security Forum http://www.eesafe.com/bbs/thread-362-1-1.html