【独家】SQL注入及XSS攻击防御技术白皮书
启明星斗白皮书,摘抄部分内容如下:啥是SQL注入?SQL注入:利用现有使用程序,将(恶意)的SQL命令注入到后台数据库引擎履行的才能,这是SQL注入的规范释义。随着B/S模式被广泛的使用,用这种模式编写使用程序的程序员也不断增加,但由于开发人员的水平缓经验良莠不齐,相当一部分的开发人员在编写代码的时候,没有对用户的输入数据或者是页面中所带着的信息(如Cookie)进行必要的合法性判别,致使了攻击者能够提交一段数据库查询代码,依据程序回来的成果,取得一些他想得到的数据。SQL注入利用的是正常的HTTP服务端口,表面上看来和正常的web访问没有差异,隐蔽性极强,不易被发现。......(Qixingdou white paper, some excerpts are as follows: What is SQL injection? SQL injection: The ability to use existing applications to inject (malicious) SQL commands into the execution of the backend database engine. This is the standard definition of SQL injection. As the B/S mode is widely used, the number of programmers who use this mode to write and use programs is also increasing. However, due to the varying levels of developers and experience, a considerable number of developers are not aware of the user's knowledge when writing code. The necessary legitimacy of the input data or the information (such as cookies) carried on the page enables the attacker to submit a database query code, and obtain some data he wants according to the results returned by the program. SQL injection uses the normal HTTP service port, which is no different from normal web access on the surface, and is extremely concealed and difficult to be discovered. ......)
页:
[1]