可以实施的Web安全级别 [英] Web Security levels that can be implemented

问题描述

目前，我正在与一个处理大量数据的网站合作.这些数据/条目将存储在MS SQL Server数据库中.我的问题是，我可以采取哪些安全技术来保护私有数据免受黑客和喜欢的攻击.我对URL进行了加密，以防止sql注入，也对用户将输入的数据进行加密.

Currently im Working with a Website that will handle a very large amount of data. These data/ entries will be stored in MS SQL Server database. My Question is what security techniques can I do to protect the Private data from hackers and likes. I have in Mind th encryption of the URL to prevent sql injections also Encrypting the data that will be Entered by the users.

any form of Ideals is greatly appreciated thank you.

推荐答案

有很多安全建议，但您可以通过以下方法避免出现主要问题:

• 使用参数化查询.切勿通过从用户输入中构建字符串来构造查询.这样可以保护您免受SQL注入(可能是排名第一的攻击)的侵害，并且还更快，更安全地键入内容.
• 请勿将密码保存为纯文本格式. (使用默认的ASP.net成员资格/角色系统将自动为您提供此权限以及其他许多功能.)这可以防止数据库被黑客入侵或泄露而损害人们的密码.
• Don'不要将未经过滤的用户输入直接输出到页面流中(以防止跨站点脚本攻击)–与ASP.net无关，因为您通常不自己创建流.
• 如果考虑到在途中凭据或数据的拦截，请使用SSL(即HTTPS).
  

There are reams of security advice but you can avoid the main problems by:

• Use parameterised queries. Never construct a query by building up a string from user input. This protects you against SQL injection (probably the no. 1 exploit) and it''s also faster and more type safe.
• Don''t save passwords in plain text. (Using the default ASP.net Membership/Role system will automatically get this and a whole bunch of other stuff right for you.) This prevents a database hack or leak compromising people''s passwords.
• Don''t output unsanitised user input directly into the page stream (to prevent cross-site scripting attacks) – not so relevant for ASP.net as you don''t generally make the stream yourself.
• If you are concerned about in-transit interception of credentials or data, use SSL (i.e. HTTPS).
  

我认为您是指对用户输入进行编码而不是对其进行加密.

您应该注意的一些事项:

1.不要相信用户的输入.如果要再次在网页中显示它，请确保对其进行验证(尤其是字符串)并进行HtmlEncode
2.参数化您的查询
3.确保使用您用于登录SQL Server的帐户的权限最少，以覆盖您的功能.听起来，您不需要更多的dbdatareader和dbdatawriter
4.不要将诸如密码之类的敏感内容存储在cookie中

在此处了解更多信息:

http://msdn.microsoft.com/en-us/library/ff648647.aspx [ ^ ]

I think you''re referring to encoding user input and not encrypting it.

Some things that spring to mind that you should look out for:

1. Don''t trust the user''s input. Make sure you validate it (especially strings) and HtmlEncode it if you''re going to display it in a web page again
2. Parameterize your queries
3. Make sure the account with which you''re logging onto SQL Server with has the bare minumum in terms of permissions to cover your functionality. You shouldn''t need more dbdatareader and dbdatawriter by the sound of it
4. Don''t store sensitive stuff like a password in a cookie

Find out more here:

http://msdn.microsoft.com/en-us/library/ff648647.aspx[^]

这篇关于可以实施的Web安全级别的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！