| With the development of Internet, the application of dynamic Web site based on B/S model is favored by various sectors of society. However, the programmers with weak safety and immature defense technology have taken a lot of insecurity to such Web site. SQL injection attacks is one of the most common form attacks against the scripting system, and also one of the most harmful attacks. The use of SQL injection vulnerabilities, an attacker can manipulate the background database, leading sensitive information leaked, database content and structure destroyed, and even use the extensions of database to control server operating system, destroy hard disk data, and even paralyze the entire system .In the current domestic dynamic Web site, IIS + ASP + Access or SQL Server has been the common model to build a Web site, and widely used in a variety of Internet applications, the advantage is simple, easy to use, development of high efficiency, practical, would not disclose the source code and support for virtual directories etc, has been recognized the best development tools for dynamic Web site under Windows platform; disadvantage is that over-reliance on the programmer, if the server does not properly set up or inappropriate programming, will lead to greater risk of vulnerability and threat to the security of the site. In order to reduce or even eliminate SQL injection vulnerabilities, improve site and system security, urgently need for researchers to design a SQL injection attacks defense system.Firstly, this paper analyzes the web site architecture and data transfer process, as well as SQL and ASP technology, on these bases, detailed describes SQL injection attacks on principle, characteristics, processes, attack methods and defense methods; then uses ISAPI filter to design a SQL injection attacks defense system; by analyzing the advantages and disadvantages of the common anti-SQL injection system and the SQL auto-defense model, I make improvements and design a new general anti-SQL injection system.ISAPI filter is located between the Web server and the client, it can filter the data between the server and the client. Therefore, by configuring the ISAPI filter to filter special characters and keywords used in SQL injection attacks, and limit some IP addresses to access web pages, protect .mdb files from downloading, prevent from storm database attacks, so as to achieve the effect of defense. ISAPI filter is a dynamic library file, just configure the server side and simply load the library files, no need to change the ASP page document.On the network, the popular common SQL injection defense system is ASP page document, before accessing server database will call this file. Because of its over-emphasis on security, it has a certain false alarm rate. So, in the paper, the author improved the Common SQL injection defense system. About Common SQL injection defense system, author narrowed the scope of SQL filter keywords and added names used in Web site database to the filter keywords, converted the special symbols in the data submitted by a user, for malicious database attackers, would stop their IP addresses from accessing Web site when the number of attacks was more than 3 times, as well, added functions of sending E-mail and system sounds alarm in the system, which not only reduced false alarm rate but also enabled administrators to detect attacks in time. |
PDF Full Text Request