Sunday,Dec20,

Preventing SQL Injection

One of the most effective methods to prevent SQL injection is used to examine thoroughly all the input from the user, by identifying all possible meta-characters, which could be used by the database system and filtering them out. Filters should be in place to remove everything but known data. An account lockout policy should also be in place to prevent brute-force guessing of passwords.

All validation for security purposes shall be within the implementedServer script and not thorough client authentication - such as JavaScript - as it can easily by users disable JavaScript in their browser will be bypassed.

When dealing with a numeric input, such as age, phone number or credit or. Bank card number, the value of the variable should be processed through a specially designed feature to ensure that the data contains only digits (and possibly) spaces. Similar functions can be constructed to handle otherData types such as dates, integers and floats. Alternatively, appointments can for some numeric fields such as numbers or the input method could be by using a drop-down selection box. If the input is generated from a drop-down box would become the source code and no validation will be necessary selected.

When dealing with string inputs it may be necessary in some cases, allow the use of specific meta-characters. As an example, the tick should be allowed to be used on the last namesubmitted, be accepted as names like O'Connor. In this case, it would be wise to accept the name and replace the apostrophe with two apostrophes before it by the query, or the inclusion in the database.

If this is all user input through text fields, it is important to limit the length of the input. All fields are text field should be as short as possible and must be entered an appropriate length for the data. As each field as short as possible, the number ofCharacters that could enable an attacker to launch a SQL injection is limited.

One line of defense is the limitation of the error messages. Error messages are usually generated in HTML, which will see an attacker is able to. The details of all the error messages should be logged in the database or display the file on the server and dynamically generated by an error.

For each query within the code of the application should be the most limited access rights can be executedTo ascribe the query itself. As an example, the data should be configured from a user name and password text box on a login page in one query so that the code ensures read-only "use permissions are given. This will prevent the attacker that the insertion of data into the database from the text box.

Stored procedures are an advanced feature of different SQL Server. In addition to providing some protection against SQL injection, the use of stored procedures also increases the performancethe website, as they have to compile the web application and run SQL statements on the server itself. If stored procedures are used in a number of conditions must be met by the injected code to be effective, the malicious SQL must be specified in a structured manner, with the correct number of parameters in order to be successful. The structure and the number of parameters can vary greatly depending on the programming decisions of the web developers.

To test a site against attackIt is not necessary, an expert on SQL injection, because too many software-based automated tools available - such as Web Vulnerability Scanner by Acunetix and SOAtest from Parasoft - that are used to carry out systematically, a series of attacks, including SQL injection can be. Automated tests should be conducted regularly and after any major changes to the Web site or server.

SQL injection attacks represent a serious threat to the safety of dynamic web pages andIt is important that adequate countermeasures to prevent such an attack to succeed. In theory, if meta-characters were treated 100 percent effective, the risk would be eliminated for this type of attack from Web browser forms. In reality - if this is the only line of defense - it would easily be made for a programming error, making the system vulnerable.

The best approach is, as many precautions as possible, as this is the "defense in a knownDepth "approach. A combination of security measures, such as: validation neutralize, or meta-character limit errors and to limit access to the Web server can be used to give full protection to a web-based application against a SQL injection attack. This approach, in conjunction with extensive testing as one of the last phases of web development, combined with regular testing and security reviews should be sufficient to protect against this SQL injection.

certification cisco ccna quickbooks 2010

Labels: , Posted by tun at 6:43 PM  

Agregar a marcadores favoritos:
  • Agregar a Technorati
  • Agregar a Del.icio.us
  • Agregar a DiggIt!
  • Agregar a Yahoo!
  • Agregar a Google
  • Agregar a Meneame
  • Agregar a Furl
  • Agregar a Reddit
  • Agregar a Magnolia
  • Agregar a Blinklist
  • Agregar a Blogmarks
  • Agregar a otro servicio

Danos tu comentario

Post a Comment

Subscribe to: Post Comments (Atom)

Home |Design by Blogger