SQL注入问题研究与防范方法

SQL Injection Problem Research and Prevention Method

目前许多基于B/S模式网络服务构架技术的应用程序在设计与开发时没有充分考虑到数据合法性校验问题,所以在其使用中存在着不少安全隐患。该文分析了SQL注入攻击的特点、原理,并对常用注入方法进行了总结。然后在主动式防范模型的基础上,提出了使用参数化查询、实施过滤和监视工具、精心编制错误消息、及时打补丁并强化数据和限制数据库的特权等几种思路和方法。

At present, many applications of B/S mode network service architecture based on Technology in the design and development were not fully considered data verify the legitimacy of the problem, so a lot of hidden security problems in the use of.This paper analyzes the principle and characteristics of SQL injection attacks, and the commonly used injection methods were summarized. Then based on the active prevention model, proposed to use parameterized queries, implementation of filtering and monitoring tools, elaborate the error message, timely patching and strengthening data and limited database privileges and so on several ideas and methods.