For Sql Injection Attacks An Integrated Defense Strategy

The SQL-Injection-Attack is a most popular Internet website invasion way in therecent years, The technique that SQL-Injection-Attack uses is the SQL grammar, So thiskind of network attack is effective for all platforms based on SQL language standarddatabase software, (Including MS SQL Server, Oracle, DB2, Sybase, MySQL etc.).Because the SQL-injection-attack principle is relatively simple, it's easy to be graspedand to be carried out, So that this kind of attack is very universal.In this thesis I analysed the SQL-Injection-Attack's principle,concrete forms,general defensive measures with their limitations at first;Then gived out the detailedanalysis of the response process that the ASP.NET server carries out for the HTTP requestat the .NET platform; And excavated the performance in the ASP.NET secure's aspect; Thenuses a kind of ASP.NET'level URL Rewrite technology—"uses the HTTP module to carryout the URL Rewriting" to establish an integrated defense policy for it.This policy must let different Web application systems that use of different Microsofttechnologies (e.g.: ASP technology, ASP.NET C# technology, ASP.NET VB technologyetc.) to integrat based on the .NET system first. Causes us easy to establish an unifiedand integrated defense mechanism for their SQL-Injection-Attack's defense question at theASP.NET server; It has also set up a Detection/Defence/Location Model forSQL-Injection-Attack; This strategy combines general defensive measures forSQL-Injection-Attack with ASP.NET's level URL rewrite technology organically, Todetect the low grade SQL-Injection-Attacks and the common misoperations to carry on theclient side, The purpose is to reduce the network's current capacity and the server's load; Todetect and defend the high grade SQL-Injection-Attacks (Refers in particular theSQL-Injection-Attacks that the experienced aggressor goes round the inspection on theclient side to carry out)at the server side,And to carry on the intellectualized tracking orlocating and putting on records.This integrated defense strategy is experimented to be feasible on the platform withMS .NET 2.0 and SQL Server 2000, This strategy's experiment system's (IDP_SQLIAsystem) design and experimental result analysis have been given in the article.