I have done a lot of research and the longer i search and can't find an answer the happier i get.
我做了很多研究,搜索时间越长,找不到更快乐的答案。
I have written my own php mvc web framework, and i worry that SQL Injection is the only vulnerability i needed to worry about.
我已经编写了自己的php mvc web框架,我担心SQL Injection是我唯一需要担心的漏洞。
I used my own database abstraction methods and support different databases, and my statements are sql injection proof. So my question is simple, is there anything else i need to worry about, in regards to protecting my database.
我使用自己的数据库抽象方法并支持不同的数据库,我的语句是sql注入证明。所以我的问题很简单,在保护我的数据库方面还有什么我需要担心的。
If there are any, please provide details or an article where i can get more information, and if possible, solutions too.
如果有,请提供详细信息或文章,我可以获得更多信息,如果可能的话,也提供解决方案。
Thank you. Ibrahim
谢谢。易卜拉欣
4 个解决方案
#1
2
-
If you allow uploads, do you limit the size of the files that are uploaded, or the amount?
如果您允许上传,是否限制上传文件的大小或金额?
-
Besides protecting yourself from SQL injection, do you explicitly limit the length of data?
除了保护自己免受SQL注入之外,您是否明确限制了数据的长度?
-
Do you limit the amount of times data can be inserted into your database?
您是否限制数据插入数据库的次数?
-
Besides SQL injection, are you protected against JavaScript injection? If I store
<script>malicious code</script>in your database, are you sure that the code won't be executed when someone views my text via a browser?除了SQL注入,你是否可以防止JavaScript注入?如果我将
#2
2
There's a lot more to worry about than SQL injection, just take a look at the list here:
除了SQL注入之外还有很多值得担心的问题,请看这里的列表:
https://www.owasp.org/index.php/Category:Vulnerability
Some of the more common ones are:
一些比较常见的是:
- Session hijacking
- Being able to guess (and access) other records by id
- Non-encrypted public record IDs
- Ability to upload executable files
- Ability to access other's files
- Authentication/authorization vulnerabilities
- Session fixation
能够通过id猜测(和访问)其他记录
未加密的公共记录ID
能够上传可执行文件
能够访问其他人的文件
The list goes on and on but take a look at PHP's security doc user notes, there's some pretty good comments in there:
该列表一直在继续,但看看PHP的安全doc用户注释,那里有一些非常好的评论:
#3
0
Datawise, escape all incoming data and entity/specialchars all outgoing data. Simple philosophy that ensures you only operate on data once going in and once going out.
Datawise,转义所有传入数据和实体/特殊链接所有传出数据。简单的理念,确保您只有在进入和离开后才能对数据进行操作。
Consider session hijacking, cookie edits hacks, form tampering (don't use direct value of select and hidden forms. assign them a key like an integer that corresponds to an element in an array and use that key to get the value of the element.)
考虑会话劫持,cookie编辑黑客,形式篡改(不要使用选择和隐藏表单的直接值。为它们分配一个键,如对应于数组中元素的整数,并使用该键获取元素的值。 )
#4
-2
if you're usint .net just do a quick google search. You can prevent most attacks by modifying your web config.
如果你是usint .net只是做一个快速的谷歌搜索。您可以通过修改Web配置来阻止大多数攻击。
<authentication mode="Forms">
<forms protection="All" loginUrl="~/Account/Login.aspx" timeout="30" slidingExpiration="true" />
</authentication>
as far as other things, then yes there are a few things you might need to worry about. such as people passing <script>alert('boo');</script> in their input. so when it's time for outputting the database value, you might subject your customers to security threats. assuming teh alert('boo') is something more evil.
至于其他事情,那么是的,您可能需要担心一些事情。例如人们在他们的输入中传递
tehre's a comprehensive list here https://www.owasp.org/index.php/Main_Page
tehre是一个全面的列表,这里https://www.owasp.org/index.php/Main_Page
#1
2
-
If you allow uploads, do you limit the size of the files that are uploaded, or the amount?
如果您允许上传,是否限制上传文件的大小或金额?
-
Besides protecting yourself from SQL injection, do you explicitly limit the length of data?
除了保护自己免受SQL注入之外,您是否明确限制了数据的长度?
-
Do you limit the amount of times data can be inserted into your database?
您是否限制数据插入数据库的次数?
-
Besides SQL injection, are you protected against JavaScript injection? If I store
<script>malicious code</script>in your database, are you sure that the code won't be executed when someone views my text via a browser?除了SQL注入,你是否可以防止JavaScript注入?如果我将
#2
2
There's a lot more to worry about than SQL injection, just take a look at the list here:
除了SQL注入之外还有很多值得担心的问题,请看这里的列表:
https://www.owasp.org/index.php/Category:Vulnerability
Some of the more common ones are:
一些比较常见的是:
- Session hijacking
- Being able to guess (and access) other records by id
- Non-encrypted public record IDs
- Ability to upload executable files
- Ability to access other's files
- Authentication/authorization vulnerabilities
- Session fixation
能够通过id猜测(和访问)其他记录
未加密的公共记录ID
能够上传可执行文件
能够访问其他人的文件
The list goes on and on but take a look at PHP's security doc user notes, there's some pretty good comments in there:
该列表一直在继续,但看看PHP的安全doc用户注释,那里有一些非常好的评论:
#3
0
Datawise, escape all incoming data and entity/specialchars all outgoing data. Simple philosophy that ensures you only operate on data once going in and once going out.
Datawise,转义所有传入数据和实体/特殊链接所有传出数据。简单的理念,确保您只有在进入和离开后才能对数据进行操作。
Consider session hijacking, cookie edits hacks, form tampering (don't use direct value of select and hidden forms. assign them a key like an integer that corresponds to an element in an array and use that key to get the value of the element.)
考虑会话劫持,cookie编辑黑客,形式篡改(不要使用选择和隐藏表单的直接值。为它们分配一个键,如对应于数组中元素的整数,并使用该键获取元素的值。 )
#4
-2
if you're usint .net just do a quick google search. You can prevent most attacks by modifying your web config.
如果你是usint .net只是做一个快速的谷歌搜索。您可以通过修改Web配置来阻止大多数攻击。
<authentication mode="Forms">
<forms protection="All" loginUrl="~/Account/Login.aspx" timeout="30" slidingExpiration="true" />
</authentication>
as far as other things, then yes there are a few things you might need to worry about. such as people passing <script>alert('boo');</script> in their input. so when it's time for outputting the database value, you might subject your customers to security threats. assuming teh alert('boo') is something more evil.
至于其他事情,那么是的,您可能需要担心一些事情。例如人们在他们的输入中传递
tehre's a comprehensive list here https://www.owasp.org/index.php/Main_Page
tehre是一个全面的列表,这里https://www.owasp.org/index.php/Main_Page