Practice effective Web site anti-SQL injection method (II.)

Intermediary transaction http://www.aliyun.com/zixun/aggregation/6858.html ">seo diagnose Taobao guest cloud host technology Hall

"Practice effective Web site anti-SQL injection (i)" to share with you the Golden method of preventing SQL injection, starting from the development, at two levels to solve, I think if you follow the introduction of the steps can be done, I think we should be able to do a good defensive effect. But we say, no 100% security, the site's micro-function changes or upgrades may affect the overall situation, which is why Eesafe Web site Security Alliance included in the site or some of the injection of loopholes, so how to keep in focus on the site is such a security issue? That's what we call digging, Understand and learn how to exploit a Web site like SQL injection.

No matter what frame you use, php+mysql or jsp+oracle, and so on, its actual injection of the steps to explore is basically unified, there is a lot of similarity. Let me give you a brief introduction to Eesafe's basic approach to helping with Web site mining.

1, Judge the script system (that is to judge the use of the site is asp,php,jsp, etc.).

2, the discovery of injection point, scanning injection Vulnerability (according to the different script system to select the appropriate scanning injection method).

3, special injection point of Judgment (8630.html "> Sometimes the injection point of the script system to filter some special characters, this time need to do a transfer injection judgment test)."

4. Determine the type of database. (using Database system variables, system tables to determine whether the database is Mssql,mysql or Oracle)

5. Judge the table structure in the database (judge the database name, the table name in the library, the field name in the table, the data in the table).

6. Determine the structure of the fields in the database table (use guessing method or read way to judge the field structure in the table)

7. Construct injection statement to inject (construct specific injection statements to get important data, such as trying Administrator account or password)

These six departments are generally the general excavation steps, in the actual operation process may vary according to the circumstances of the slight changes. Finally, a 6-part validated injection point is provided to the requesting help Web site for patching injection vulnerabilities. We can apply the mining injection process to our site to do a comprehensive SQL injection point excavation, of course, you can also use the Eesafe Web Site Security Alliance to provide online detection tools. I hope this and the previous "" practice effective website anti-SQL injection (i) "can bring help to everyone."

Original article, Pure hand Dozen, reprint please specify the copyright belongs to: Eesafe website Security Alliance

Reprint please indicate the original address in the form of link: Eesafe Network security Forum http://www.eesafe.com/bbs/thread-383-1-1.html