中文版
Position:Home>net development> ASP.NET website program prevents SQL spoon-fed attack method
Related Articles
Hot Concern
Column list
ASP.NET website program prevents SQL spoon-fed attack method
From;  Author:Stand originally
, beguiling system grants a visit limits of authority.

Systematic environment is different, the harm that aggressor may cause is different also, this basically visits the safe attributive of the database to decide by application. If the account of the user is had administrator or other more advanced attributive, aggressor executes all sorts of operations that he wants to do possibly to the watch of the database, include to add, delete or update data, delete a watch possibly even directly.

   2, how be on guard?

Should prevent ASP.NET application fortunately by SQL spoon-fed the thing that attack is entered is not a special difficulty, before tectonic SQL commands the content that should using the input that express sheet only, it is OK to filter all input content filter all input content one time. Filter input content can undertake by a variety of means.

The circumstance that ⑴ inquires to dynamic and tectonic SQL, can use the technology below:

The first: Replace only quote, change all only quote that appear alone into two only quote namely, prevent aggressor to revise SQL jussive implication. Will see the case in front again, “SELECT * From Users WHERE Login = ''' Or ''1''=''1' AND Password = ''' Or ''1''=''1'” can get the result that differs with “SELECT * From Users WHERE Login = '' Or '1'='1' AND Password = '' Or '1'='1'” apparently.

The 2nd: Delete an user to input all hyphen in content, prevent aggressor construction to go out kind like “SELECT * From Users WHERE Login = 'mas'- - the inquiry of and so on of AND Password =''” , because the second half part of this kind of inquiry has been dropped by annotate, no longer effective, aggressor should know a lawful user logs onto a name only, need to know the password of the user can win visit limits of authority smoothly far from.

The 3rd: Carry out the database account of inquiry to be being used, limit its limits of authority. Carry out inquiry with different user account, insert, newer, delete an operation. Because kept apart the operation with different executable account, also prevented to be used at carrying out SELECT jussive place to be used at executing INSERT, UPDATE or DELETE order however originally consequently.

⑵ carries out all inquiry with memory process. Of SQL parameter deliver means to will prevent aggressor to use only quote and hyphen to carry out attack. In addition, it still makes database attributive OK limitation arrives to allow specific memory process to carry out only, all users are inputted must the safe context of the memory procedure that comply with is called, such very difficult recurrent spoon-fed attack.

⑶ limitation expresses sheet or inquire the length that string inputs. If the entry name of the user has 10 character only at most, should not recognize the character of 10 above of the input in expressing sheet so, this will increase aggressor to insert the difficulty of harmful code in SQL command greatly.
Previous 1 23 Next

Previous:The measure that.NET incident handles
Next:The observer mode in Asp.net
About us | Legal Notices | Sitemap | wiki
Disclaimer:The only purpose of the site is to deliver more information. This dose not mean that the site will agree with the views and be responsible for its authenticity.