Database Security: Database Vulnerability

Security breaches are an increasing phenomenon.

As more and more databases are made accessible via the Internet and web-based applications, their exposure to security threats will rise.

The objective is to reduce susceptibility to these threats.

Perhaps the most publicized database application vulnerability has been the SQL injection.

SQL injections provide excellent examples for discussing security as they embody one of the most important database security issues, risks inherent to non-validated user input.

SQL injections can happen when SQL statements are dynamically created using user input.

The threat occurs when users enter malicious code that ‘tricks’ the database into executing unintended commands.

The vulnerability occurs primarily because of the features of the SQL language that allow such things as embedding comments using double hyphens (- -), concatenating SQL statements separated by semicolons, and the ability to query metadata from database data dictionaries.

The solution to stopping an SQL injection is input validation.

SQL injections can be prevented by validating user input.

Three approaches are commonly used to address query string validation: using a black list, using a white list, or implementing parameterized queries.

The black list parses the input string comparing each character to a predefined list of non-allowed characters. The disadvantage to using a black list is that many special characters can be legitimate but will be rejected using this approach. The common example is the use of the apostrophe in a last name such as O’Hare.

The white list approach is similar except that each character is compared to a list of allowable characters. The approach is preferred but special considerations have to be made when validating the single quote.

Parameterized queries use internally defined parameters to fill in a previously prepared SQL statement.

The importance of input validation cannot be overstated. It is one of the primary defense mechanisms for preventing database vulnerabilities including SQL injections.

原文地址:https://www.cnblogs.com/hbuwyg/p/11031422.html

时间: 2024-10-11 17:57:07

Database Security: Database Vulnerability的相关文章

The Security Database on the Server Does Not Have a Computer Account

这两天在做微软App-V应用程序虚拟化的试验,公司需要测试自有C/S架构产品在其上的部署. 搭建过程比较顺利,突然的今天上班后发现App-V Server(域成员服务器)使用域用户登陆时报错: The Security Database on the Server Does Not Have a Computer Account for This Workstation Trust Relationship Google到该问题的解决方法,说不上准确的道理来,比较"有趣",记录下. 微

Windows ->> FIX: “The security database on the server does not have a computer account for this workstation trust relationship”

前几天在做AlwaysOn实验时遇到搭建活动目录域时某台已经加入AD的机器无法以域管理员账户登录的情况. 报错信息是:The security database on the server does not have a computer account for this workstation trust relationship 经过Google后找到一篇有用博文. 起因死这样:原本活动目录域有台机器叫Main,是台DC.我后来把机器的名字改成了DC.然后另外一台机器用了这台域控原来的机器名

What Drives the Need for Database Sharding? DATABASE SHARDING

wIO瓶颈 http://www.agildata.com/database-sharding/ What Drives the Need for Database Sharding? Database Sharding is a highly scalable approach for improving the throughput and overall performance of high-transaction, large database-centric business app

错误代码: 1007 Can't create database 'test'; database exists

1.错误描述 1 queries executed, 0 success, 1 errors, 0 warnings 查询:create database test 错误代码: 1007 Can't create database 'test'; database exists 执行耗时 : 0 sec 传送时间 : 0 sec 2.错误原因 执行创建数据库时,两次执行了同一SQL语句,导致重复创建数据库 CREATE DATABASE test; 3.解决办法 (1)不执行该语句 (2)如果t

错误代码 1007 Can't create database 'test' database exists

1.错误描述 1 queries executed, 0 success, 1 errors, 0 warnings 查询:create database test 错误代码: 1007 Can't create database 'test'; database exists 执行耗时 : 0 sec 传送时间 : 0 sec 2.错误原因 执行创建数据库时,两次执行了同一SQL语句,导致重复创建数据库 CREATE DATABASE test; 3.解决办法 (1)不执行该语句 (2)如果t

Common Database Security Tasks_5_30

数据库的安装和配置上的安全配置 管理账户.密码策略.创建和设置角色.限制特定角色访问数据等 确保网络连接安全 加密敏感的数据 确保数据数据库没有安全漏洞以免受入侵 设置数据库组件审计为正确的审计 下载和安装安全补丁

Cross-Domain Security For Data Vault

Cross-domain security for data vault is described. At least one database is accessible from a plurality of network domains, each network domain having a domain security level. The at least one database includes at least one partitioned data table tha

P6 EPPM Manual Installation Guide (Oracle Database)

Contents Oracle Database Manual Configuration Overview ,,★★5 Oracle Database Installation ,,★★6 Creating the Database Structure for Oracle and Loading Application Data ,,★★7 Creating the P6 EPPM Database Structure for Oracle ,,★★7 Copying the Script

P6 Professional Installation and Configuration Guide (Microsoft SQL Server Database) 16 R1

P6 Professional Installation and Configuration Guide (Microsoft SQL Server Database) 16 R1       May 2016 Contents About This Guide...................................................................................... 11 Shared Topics in This Guide .