zoukankan      html  css  js  c++  java
  • Database Security: Database Vulnerability

    Security breaches are an increasing phenomenon.

    As more and more databases are made accessible via the Internet and web-based applications, their exposure to security threats will rise.

    The objective is to reduce susceptibility to these threats.

    Perhaps the most publicized database application vulnerability has been the SQL injection.

    SQL injections provide excellent examples for discussing security as they embody one of the most important database security issues, risks inherent to non-validated user input.

    SQL injections can happen when SQL statements are dynamically created using user input.

    The threat occurs when users enter malicious code that ‘tricks’ the database into executing unintended commands.

    The vulnerability occurs primarily because of the features of the SQL language that allow such things as embedding comments using double hyphens (- -), concatenating SQL statements separated by semicolons, and the ability to query metadata from database data dictionaries.

    The solution to stopping an SQL injection is input validation.

    SQL injections can be prevented by validating user input.

    Three approaches are commonly used to address query string validation: using a black list, using a white list, or implementing parameterized queries.

    The black list parses the input string comparing each character to a predefined list of non-allowed characters. The disadvantage to using a black list is that many special characters can be legitimate but will be rejected using this approach. The common example is the use of the apostrophe in a last name such as O’Hare.

    The white list approach is similar except that each character is compared to a list of allowable characters. The approach is preferred but special considerations have to be made when validating the single quote.

    Parameterized queries use internally defined parameters to fill in a previously prepared SQL statement.

    The importance of input validation cannot be overstated. It is one of the primary defense mechanisms for preventing database vulnerabilities including SQL injections.

  • 相关阅读:
    输入挂
    最长递增子序列nlogn的做法
    lca 倍增模版
    讨厌字符串
    js的事件处理与闭包:
    http
    html的语义化
    js性能优化
    js的缓存
    字面量声明和函数式声明
  • 原文地址:https://www.cnblogs.com/hbuwyg/p/11031422.html
Copyright © 2011-2022 走看看