摘要
为了提高数据库系统的安全性,及时发现、防范网站中可能存在的SQL注入漏洞,详细分析了基于SQL注入的攻击原理,从应用服务器、数据服务器、功能代码本身等3个方面探讨了如何避免SQL注入攻击.在此基础上从功能程序本身方面对已有的"检测、防御、备案"通用模型进行了优化,改良后的SQL注入攻击通用检验模型只在服务器端设置检查,对攻击者进行备案,对于攻击次数过多的用户所提出的请求服务器将不予理会,而且被抽象出来以单独函数形式存在,使用时直接调用即可,适用于所有页面.实验表明,该模型系统能较好发现系统存在的SQL注入脆弱点,从而有效提升系统的安全性.
In order to improve the security of database system and find the SQL injection vulnerabilities in time. Anintroduction of SQL injection attack is given in this paper. Aparticular introduction of how to avoid SQL injection attack is proposed. It expatiates from three aspects: the applications erver, the data bases erver, and the code. Especially in the aspect of code, based on the DDL (Detection-Defense-Log)model, weproposal anim proved common model. The model prevents the attack and records the attacker. And there quest of pers on whose attack times rather than the user setting number will be discarded. All the function of the model is abstracted to the sub or the function,thus just an including, it can be expediently put in to practice and suits for anypage. The experiment shows that the prototype system can find SQL injection vulnerabilities effectually and help the administrator to enhance the security.
出处
《河南科学》
2009年第3期316-319,共4页
Henan Science
基金
陕西省教育厅专项科研计划项目(05JK191)
渭南师范学院教学资助项目(JG200806)
渭南师范学院科研资助项目(09YKS010)
