预防新网站 [英] Precaution to new website
问题描述
专家,
我现在是,
我正在为我们的公司开发CRM项目.该项目即将开始.
我正在使用MySql作为数据库.
为了使我的网站免遭黑客入侵,我必须采取哪些预防措施
又快.
其他建议也可以接受.
在此先感谢.......
Hi Expert,
I am uday ,
I am developing CRM Project for our company.It is about to begin.
I am using MySql as database.
what are the precaution i have to take to make my website safe from hacking
and fast.
Other Suggestion are acceptable .
Thanks in advance.......
推荐答案
您需要阅读一些内容,但这两者通常是由于开发人员的实践不当所致(相对于服务器软件等),因此您特别需要注意以下内容:
- SQL注入.在这里您可以执行类似的操作
You need to do some reading around, but the two that are usually caused by poor developer practice (as opposed to server software etc) and therefore you particularly need to watch for are:
- SQL Injection. This is where you do something like
string query = "select from table where id=''" + someUserInputString + "''";
用户输入可以包含有效的SQL,并且在结构不良的数据库权限系统(即脚本具有完全访问权限的系统)中,可以对您的数据库执行任何操作.
通过使用参数化查询来避免这种情况.如果您正在使用DataAdapters及其它所有其余部分,则没有理由使用用户输入来构造文字查询字符串.
与SQL注入类似,这是页面的动态内容在HTML流中回显用户输入的地方,例如
The user input can contain valid SQL and, in a poorly structured database permissions system (i.e. where the script has full access), can do anything to your database.
Avoid this by using parameterised queries. If you''re using DataAdapters and all the rest of it there is no reason to ever construct a literal query string with user input.
Similar to SQL injection, this is where dynamic content for the page echoes user input in the HTML stream, e.g.
label.Text = "<p>You typed " + Request["InputField"] + "!</p>";
通过转义(或标记)要从输入复制到输出的任何内容来避免这种情况.
Avoid this by escaping (or detagging) anything which you want to copy from input to output.
除了Bob的非常好的建议外,我还会添加我亲身经历过的另一种注射方式.
如果使用Web表单,用户发布了一些数据,然后使用发布的数据来填充电子邮件标题和消息(RFC 2822,RFC 5322,位于 ^ ])) ?哦,您很容易被黑客入侵,从而使您的主机变成分发垃圾邮件或类似内容的僵尸.
这真的非常容易,因为您的所有电子邮件标题都是纯文本,并且由诸如行分隔符之类的易碎内容定义.合法用户始终会发布单独的行,但是通过编程,将行分隔符插入用于一个标头的HTTP POST字段中并添加其他标头非常容易.例如,可以在主题"字段中插入抄送:[百万个电子邮件地址]".这种模式可能有很多变体,或者任何想法类似的东西.
防止这种情况也很简单,但是需要100%可靠的逻辑.您不应该假定任何标题的内容都是有效的并且可以验证所有内容,过滤出不符合要求格式的任何案例,并将该案例作为恶意活动的尝试写在某些日志中,以便以后用于调查.例如,除了您现有的保护措施之外,您还可以将违规者列入黑名单(这完全是不可靠的,尽管就像电子邮件一样,任何人都可以冒充任何人;这可以稍微改善您的表现).
-SA
In addition to a very nice advice by Bob I would add some other kind of injection I personally experienced.
What happen if you use Web form, the user posts some data, and then you use posted data to fill in e-mail headers and message (RFC 2822, RFC 5322 at http://tools.ietf.org[^])? Oh, you can be hacked very easily to turn you host into a zombie distributing spam or something like that.
It is really very easy because all your e-mail headers are all in plain text and are defined by such a fragile thing as line separator characters. A legitimate user always posts separate line, but programmatically it''s extremely easy to insert line separator inside a HTTP POST field intended for one header and add some other header. For example, one can inject "CC: [million of e-mail addresses]" in the "Subject" field. There could be many variants of this schema or anything similar in idea.
Preventing this is very simple, too, but would need 100% reliable logic. You should not assume that content of any headers is valid and validate everything, filter out any cases not matching required format and write the case as an attempt of malicious activity in some log, which can later be used for investigation. For example, in addition to your existing protection you can blacklist the offenders (this is not reliable at all though as with e-mails anyone can impersonate anyone; it could just improve your performance a bit).
—SA
开始 ^ ].这些是您需要自己学习的研究问题.不可能对这样的问题给出简单的答案.
Start here[^]. These are research questions that you will need to study for yourself. It is not possible to give simple answers to questions like this.
这篇关于预防新网站的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!