摘要
介绍了SQL注入攻击原理,以ASP+SQLServer型网站为基础,从应用服务器、数据服务器、功能代码本身三个方面详细介绍了如何避免SQL注入攻击。尤其在功能程序本身方面,在前人提出的检测/防御/备案通用模型基础上,提出一个改良的SQL注入攻击通用检验模型。该模型只在服务器端设置一级检查,对攻击者进行备案,攻击次数过多的用户的请求服务器将不予理会,而且被抽象出来以单独函数形式存在,使用时直接调用即可,适用于所有页面。
An introduction of SQL Injection Attack is given in this paper. Basing on the sites developed with ASP and SQL Server, a particular introduction of how to avoid SQL Injection Attack is proposed. It expatiates from three aspects: the application server, the database server, and the code. Especially in the aspect of code, based on the DDL(Detection-Defense-Log) Model, we proposal an improved common model. The model prevents the attack and records the attacker. And the request of person whose attack times rather than the user setting number will be discarded. All the function of the model is abstracted to the sub or the function, thus just an including, it can be expediently put into practice and suits for any page.
出处
《微计算机信息》
北大核心
2006年第03X期10-12,共3页
Control & Automation
基金
广东省科技计划基金项目(2003C101034)
