摘要
基于B/S模式的网络服务架构技术被普遍采用,许多Web应用程序没有完备的考虑安全性,给站点留下了安全隐患。SQL注入漏洞普及面广且不易检测,如果结合其他系统漏洞就会造成数据的泄露甚至服务器被控制。本文从应用服务器、数据服务器、功能代码三方面阐述了SQL注入攻击的特点、原理,并对常用注入攻击方式,防范方法进行了总结。最后提出一种记录用户IP,验证用户输入,控制用户的输入次数的综合方法来防范SQL注入攻击的模型。该模型在浏览器端设置一级检查,在服务器端设置二级检查,并记录攻击者IP,攻击次数过多的攻击者被禁止访问。测试结果表明该防范模型具有较高的实用性和安全性。
In recent years, B/S mode technology is widely adopted, but many web sites have not considered security problems fully, which leaves some potential security risks in the sites. So far, SQL injection bugs have been used widely but it is difficult to be detected. Furthermore, once it combines with other system bugs, it may bring about date leak or even cause servers being controlled. This paper describes the features of SQL injection attacks, principles, and injection attack prevention methods which are commonly used. Finally, this paper puts forward a method of recording user's IP, verifying user's input, with controlling the numbers of user's fault input in order to increase the safety of web site. The model sets level check in the browser and secondary check in the server settings, and in the meantime records the attackers' IP, so that the attackers with too many attacks will be forbidden to access. The test results show that the prevention model has high practicality and safety.
出处
《软件》
2012年第12期296-298,321,共4页
Software
