文章从数据库服务器本身讲防止SQL注入设置以及在程序中关于防止SQL注入一些参数过滤方法总结,有需要学习的同学可参考一下。
1.不要使用sa用户连接数据库
2.新建一个public权限数据库用户,并用这个用户访问数据库
3.[角色]去掉角色public对sysobjects与syscolumns对象的select访问权限
4.[用户]用户名称-> 右键-属性-权限-在sysobjects与syscolumns上面打“×”
5.在SQL查询分析器中执行以下代码(失败表示权限正确,如能显示出来则表明权限太高):
| 代码如下 | 复制代码 |
|
DECLARE @T varchar(255), |
|
黑客攻击SQL Server时,首先采用的方法是执行master扩展存储过程xp_cmdshell命令来破坏数据库,为了数据库安全起见,最好禁止使用xp_cmdShell
xp_cmdshell可以让系统管理员以操作系统命令行解释器的方式执行给定的命令字符串,
并以文本行方式返回任何输出,是一个功能非常强大的扩展存贮过程。
一般情况下,xp_cmdshell对管理员来说也是不必要的,xp_cmdshell的消除不会对Server造成
任何影响。
可以将xp_cmdshell消除:
| 代码如下 | 复制代码 |
| Use Master Exec sp_dropextendedproc N'xp_cmdshell' Go |
|
如果需要的话,可以把xp_cmdshell恢复回来:
| 代码如下 | 复制代码 |
| Use Master Exec sp_addextendedproc N'xp_cmdshell', N'xplog70.dll' Go |
|
如果你数据库理有D99_Tmp或者D99_cmd这两个表,那么你放心了
比如如果你的网站使用PHP+MYSQL开发的(现在流行的大多数CMS发布系统都是采用PHP)。
1.加强脚本层(也就是在PHP方面加强防注入手段)。使用Php.ini的magic_quotes_gpc选项。在开发过程中凡是需要接受用户输入的位置使用addslashes函数、intval函数,htmlspecialchars函数,htmlentities函数,并加入javascript防注入漏洞过滤函数(现成的过滤函数可以在eesafe网络安全交流区里找到)和PHP防注入漏洞过滤函数(现成的过滤函数可以在eesafe网络安全交流区里找到)。
2.加强数据层(也就是数据库方面加强防注入手段)。在网站和数据库进行连接时(也就是连接池)使用的用户具有普通权限就可以了,不要使用超级用户或数据库所有者的账号。对提交数据的类型和格式进行严格检查,确保数据类型符合要求,比如用mysql数据库系统函数isnumberic()判断传到数据库中的值是否是数字。另外在连接数据库时尽量使用sssl或ssh。
asp防sql注入程序
| 代码如下 | 复制代码 |
|
dim sql_injdata |
|
多多使用SQL Server数据库自带的安全参数
为了减少注入式攻击对于SQL Server数据库的不良影响,在SQLServer数据库专门设计了相对安全的SQL参数。在数据库设计过程中,工程师要尽量采用这些参数来杜绝恶意的SQL注入式攻击。
如在SQL Server数据库中提供了Parameters集合。这个集合提供了类型检查和长度验证的功能。如果管理员采用了Parameters这个集合的话,则用户输入的内容将被视为字符值而不是可执行代码。即使用户输入的内容中含有可执行代码,则数据库也会过滤掉。因为此时数据库只把它当作普通的字符来处理。使用Parameters集合的另外一个优点是可以强制执行类型和长度检查,范围以外的值将触发异常。如果用户输入的值不符合指定的类型与长度约束,就会发生异常,并报告给管理员。如上面这个案例中,如果员工编号定义的数据类型为字符串型,长度为10个字符。而用户输入的内容虽然也是字符类型的数据,但是其长度达到了20个字符。则此时就会引发异常,因为用户输入的内容长度超过了数据库字段长度的限制。
How to Grant Permissions to New MySQL UsersMay 09, 2025 am 12:16 AMTograntpermissionstonewMySQLusers,followthesesteps:1)AccessMySQLasauserwithsufficientprivileges,2)CreateanewuserwiththeCREATEUSERcommand,3)UsetheGRANTcommandtospecifypermissionslikeSELECT,INSERT,UPDATE,orALLPRIVILEGESonspecificdatabasesortables,and4)
How to Add Users in MySQL: A Step-by-Step GuideMay 09, 2025 am 12:14 AMToaddusersinMySQLeffectivelyandsecurely,followthesesteps:1)UsetheCREATEUSERstatementtoaddanewuser,specifyingthehostandastrongpassword.2)GrantnecessaryprivilegesusingtheGRANTstatement,adheringtotheprincipleofleastprivilege.3)Implementsecuritymeasuresl
MySQL: Adding a new user with complex permissionsMay 09, 2025 am 12:09 AMToaddanewuserwithcomplexpermissionsinMySQL,followthesesteps:1)CreatetheuserwithCREATEUSER'newuser'@'localhost'IDENTIFIEDBY'password';.2)Grantreadaccesstoalltablesin'mydatabase'withGRANTSELECTONmydatabase.TO'newuser'@'localhost';.3)Grantwriteaccessto'
MySQL: String Data Types and CollationsMay 09, 2025 am 12:08 AMThe string data types in MySQL include CHAR, VARCHAR, BINARY, VARBINARY, BLOB, and TEXT. The collations determine the comparison and sorting of strings. 1.CHAR is suitable for fixed-length strings, VARCHAR is suitable for variable-length strings. 2.BINARY and VARBINARY are used for binary data, and BLOB and TEXT are used for large object data. 3. Sorting rules such as utf8mb4_unicode_ci ignores upper and lower case and is suitable for user names; utf8mb4_bin is case sensitive and is suitable for fields that require precise comparison.
MySQL: What length should I use for VARCHARs?May 09, 2025 am 12:06 AMThe best MySQLVARCHAR column length selection should be based on data analysis, consider future growth, evaluate performance impacts, and character set requirements. 1) Analyze the data to determine typical lengths; 2) Reserve future expansion space; 3) Pay attention to the impact of large lengths on performance; 4) Consider the impact of character sets on storage. Through these steps, the efficiency and scalability of the database can be optimized.
MySQL BLOB : are there any limits?May 08, 2025 am 12:22 AMMySQLBLOBshavelimits:TINYBLOB(255bytes),BLOB(65,535bytes),MEDIUMBLOB(16,777,215bytes),andLONGBLOB(4,294,967,295bytes).TouseBLOBseffectively:1)ConsiderperformanceimpactsandstorelargeBLOBsexternally;2)Managebackupsandreplicationcarefully;3)Usepathsinst
MySQL : What are the best tools to automate users creation?May 08, 2025 am 12:22 AMThe best tools and technologies for automating the creation of users in MySQL include: 1. MySQLWorkbench, suitable for small to medium-sized environments, easy to use but high resource consumption; 2. Ansible, suitable for multi-server environments, simple but steep learning curve; 3. Custom Python scripts, flexible but need to ensure script security; 4. Puppet and Chef, suitable for large-scale environments, complex but scalable. Scale, learning curve and integration needs should be considered when choosing.
MySQL: Can I search inside a blob?May 08, 2025 am 12:20 AMYes,youcansearchinsideaBLOBinMySQLusingspecifictechniques.1)ConverttheBLOBtoaUTF-8stringwithCONVERTfunctionandsearchusingLIKE.2)ForcompressedBLOBs,useUNCOMPRESSbeforeconversion.3)Considerperformanceimpactsanddataencoding.4)Forcomplexdata,externalproc
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
Safe Exam Browser
Safe Exam Browser is a secure browser environment for taking online exams securely. This software turns any computer into a secure workstation. It controls access to any utility and prevents students from using unauthorized resources.
ZendStudio 13.5.1 Mac
Powerful PHP integrated development environment
SecLists
SecLists is the ultimate security tester's companion. It is a collection of various types of lists that are frequently used during security assessments, all in one place. SecLists helps make security testing more efficient and productive by conveniently providing all the lists a security tester might need. List types include usernames, passwords, URLs, fuzzing payloads, sensitive data patterns, web shells, and more. The tester can simply pull this repository onto a new test machine and he will have access to every type of list he needs.
PhpStorm Mac version
The latest (2018.2.1) professional PHP integrated development tool
MinGW - Minimalist GNU for Windows
This project is in the process of being migrated to osdn.net/projects/mingw, you can continue to follow us there. MinGW: A native Windows port of the GNU Compiler Collection (GCC), freely distributable import libraries and header files for building native Windows applications; includes extensions to the MSVC runtime to support C99 functionality. All MinGW software can run on 64-bit Windows platforms.
