I'm developing a new application and i want to test if it's vulnerable. I know some common attacks, but maybe you can provide some more to make my app safer.
我正在开发一个新的应用程序,我想测试它是否容易受到攻击。我知道一些常见的攻击,但也许你可以提供更多让我的应用更安全的攻击。
Thanks!
3 个解决方案
#1
1
There's no reason to test for multiple attack vectors. Simply passing the character used to quote strings (usually,') should cause a syntax error if its open to SQL injection -- unless you have an IDS or some signature-based detection standing in your way.
没有理由测试多个攻击向量。简单地传递用于引用字符串的字符(通常为'),如果它对SQL注入开放,则会导致语法错误 - 除非您有IDS或某些基于签名的检测。
#2
2
Check out this post: http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/ Also there's a Firefox add-on named SQL Inject Me but right now it doesn't work with Firefox 6
看看这篇文章:http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/还有一个名为SQL Inject Me的Firefox附加组件,但是现在它不适用于Firefox 6
#3
0
- Always escape your variables with the proper function (for example, $pdo->quote() or mysql_real_escape_string(), depending on which extension you are using)
- Use prepared statements as much as possible
- Never escape your variables too early, or you will never know whether they are escaped or not. Just escape them the most lately possible, and always consider that they are not escaped.
- Properly set the connection encoding
始终使用正确的函数转义变量(例如,$ pdo-> quote()或mysql_real_escape_string(),具体取决于您使用的扩展名)
尽可能使用准备好的陈述
永远不要过早地逃避变量,否则你永远不会知道它们是否被转义。尽可能逃避他们,并始终认为他们没有逃脱。
正确设置连接编码
If you follow this you are not vulnerable to SQL injection (provided that you don't forget to escape something).
如果你遵循这个,你就不会受到SQL注入的攻击(前提是你不要忘记逃避某些事情)。
#1
1
There's no reason to test for multiple attack vectors. Simply passing the character used to quote strings (usually,') should cause a syntax error if its open to SQL injection -- unless you have an IDS or some signature-based detection standing in your way.
没有理由测试多个攻击向量。简单地传递用于引用字符串的字符(通常为'),如果它对SQL注入开放,则会导致语法错误 - 除非您有IDS或某些基于签名的检测。
#2
2
Check out this post: http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/ Also there's a Firefox add-on named SQL Inject Me but right now it doesn't work with Firefox 6
看看这篇文章:http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/还有一个名为SQL Inject Me的Firefox附加组件,但是现在它不适用于Firefox 6
#3
0
- Always escape your variables with the proper function (for example, $pdo->quote() or mysql_real_escape_string(), depending on which extension you are using)
- Use prepared statements as much as possible
- Never escape your variables too early, or you will never know whether they are escaped or not. Just escape them the most lately possible, and always consider that they are not escaped.
- Properly set the connection encoding
始终使用正确的函数转义变量(例如,$ pdo-> quote()或mysql_real_escape_string(),具体取决于您使用的扩展名)
尽可能使用准备好的陈述
永远不要过早地逃避变量,否则你永远不会知道它们是否被转义。尽可能逃避他们,并始终认为他们没有逃脱。
正确设置连接编码
If you follow this you are not vulnerable to SQL injection (provided that you don't forget to escape something).
如果你遵循这个,你就不会受到SQL注入的攻击(前提是你不要忘记逃避某些事情)。