DATABASESECURITY“WHYDOINEEDTOSECUREMYDATABASESERVERNOONECANACCESSITITSINADMZPROTECTEDBYTHEFIREWALL”THISISOFTENTHERESPONSEWHENITISRECOMMENDEDTHATSUCHDEVICESAREINCLUDEDWITHINASECURITYHEALTHCHECKINFACT,DATABASESECURITYISPARAMOUNTINDEFENDINGANORGANIZATIONSINFORMATION,ASITMAYBEINDIRECTLYEXPOSEDTOAWIDERAUDIENCETHANREALIZEDTHISISTHEFIRSTOFTWOARTICLESTHATWILLEXAMINEDATABASESECURITYINTHISARTICLEWEWILLDISCUSSGENERALDATABASESECURITYCONCEPTSANDCOMMONPROBLEMSINTHENEXTARTICLEWEWILLFOCUSONSPECIFICMICROSOFTSQLANDORACLESECURITYCONCERNSDATABASESECURITYHASBECOMEAHOTTOPICINRECENTTIMESWITHMOREANDMOREPEOPLEBECOMINGINCREASINGLYCONCERNEDWITHCOMPUTERSECURITY,WEAREFINDINGTHATFIREWALLSANDWEBSERVERSAREBEINGSECUREDMORETHANEVERTHOUGHTHISDOESNOTMEANTHATTHEREARENOTSTILLALARGENUMBEROFINSECURENETWORKSOUTTHEREASSUCH,THEFOCUSISEXPANDINGTOCONSIDERTECHNOLOGIESSUCHASDATABASESWITHAMORECRITICALEYECOMMONSENSESECURITYBEFOREWEDISCUSSTHEISSUESRELATINGTODATABASESECURITYITISPRUDENTTOHIGHLIGHTTHENECESSITYTOSECURETHEUNDERLYINGOPERATINGSYSTEMANDSUPPORTINGTECHNOLOGIESITISNOTWORTHSPENDINGALOTOFEFFORTSECURINGADATABASEIFAVANILLAOPERATINGSYSTEMISFAILINGTOPROVIDEASECUREBASISFORTHEHARDENINGOFTHEDATABASETHEREAREALARGENUMBEROFEXCELLENTDOCUMENTSINTHEPUBLICDOMAINDETAILINGMEASURESTHATSHOULDBEEMPLOYEDWHENINSTALLINGVARIOUSOPERATINGSYSTEMSONECOMMONPROBLEMTHATISOFTENENCOUNTEREDISTHEEXISTENCEOFADATABASEONTHESAMESERVERASAWEBSERVERHOSTINGANINTERNETORINTRANETFACINGAPPLICATIONWHILSTTHISMAYSAVETHECOSTOFPURCHASINGASEPARATESERVER,ITDOESSERIOUSLYAFFECTTHESECURITYOFTHESOLUTIONWHERETHISISIDENTIFIED,ITISOFTENTHECASETHATTHEDATABASEISOPENLYCONNECTEDTOTHEINTERNETONERECENTEXAMPLEICANRECALLISANAPACHEWEBSERVERSERVINGANORGANIZATIONSINTERNETOFFERING,WITHANORACLEDATABASEAVAILABLEONTHEINTERNETONPORT1521WHENINVESTIGATINGTHISISSUEFURTHERITWASDISCOVEREDTHATACCESSTOTHEORACLESERVERWASNOTPROTECTEDINCLUDINGLACKOFPASSWORDS,WHICHALLOWEDTHESERVERTOBESTOPPEDTHEDATABASEWASNOTREQUIREDFROMANINTERNETFACINGPERSPECTIVE,BUTTHEUSEOFDEFAULTSETTINGSANDCARELESSSECURITYMEASURESRENDEREDTHESERVERVULNERABLETHEPOINTSMENTIONEDABOVEARENOTSTRICTLYDATABASEISSUES,ANDCOULDBECLASSIFIEDASARCHITECTURALANDFIREWALLPROTECTIONISSUESALSO,BUTULTIMATELYITISTHEDATABASETHATISCOMPROMISEDSECURITYCONSIDERATIONSHAVETOBEMADEFROMALLPARTSOFAPUBLICFACINGNETWORKYOUCANNOTRELYONSOMEONEORSOMETHINGELSEWITHINYOURORGANIZATIONPROTECTINGYOURDATABASEFROMEXPOSUREATTACKTOOLSARENOWAVAILABLEFOREXPLOITINGWEAKNESSESINSQLANDORACLEICAMEACROSSONEINTERESTINGASPECTOFDATABASESECURITYRECENTLYWHILECARRYINGOUTASECURITYREVIEWFORACLIENTWEWEREPERFORMINGATESTAGAINSTANINTRANETAPPLICATION,WHICHUSEDADATABASEBACKENDSQLTOSTORECLIENTDETAILSTHESECURITYREVIEWWASPROCEEDINGWELL,WITHACCESSCONTROLSBEINGBASEDONWINDOWSAUTHENTICATIONONLYAUTHENTICATEDWINDOWSUSERSWEREABLETOSEEDATABELONGINGTOTHEMTHEAPPLICATIONITSELFSEEMEDTOBEHANDLINGINPUTREQUESTS,REJECTINGALLATTEMPTSTOACCESSTHEDATABASEDIRECTLYWETHENHAPPENEDTOCOMEACROSSABACKUPOFTHEAPPLICATIONINTHEOFFICEINWHICHWEWEREWORKINGTHISMEDIACONTAINEDABACKUPOFTHESQLDATABASE,WHICHWERESTOREDONTOOURLAPTOPALLSECURITYCONTROLSWHICHWEREINPLACEORIGINALLYWERENOTRESTOREDWITHTHEDATABASEANDWEWEREABLETOBROWSETHECOMPLETEDATABASE,WITHNORESTRICTIONSINPLACETOPROTECTTHESENSITIVEDATATHISMAYSEEMLIKEACONTRIVEDWAYOFCOMPROMISINGTHESECURITYOFTHESYSTEM,BUTDOESHIGHLIGHTANIMPORTANTPOINTITISOFTENNOTTHEDIRECTAPPROACHTHATISTAKENTOATTACKATARGET,ANDULTIMATELYTHEENDPOINTISTHESAMESYSTEMCOMPROMISEABACKUPCOPYOFTHEDATABASEMAYBESTOREDONTHESERVER,ANDTHUSFACILITATESACCESSTOTHEDATAINDIRECTLYTHEREISASIMPLESOLUTIONTOTHEPROBLEMIDENTIFIEDABOVESQL2000CANBECONFIGUREDTOUSEPASSWORDPROTECTIONFORBACKUPSIFTHEBACKUPISCREATEDWITHPASSWORDPROTECTION,THISPASSWORDMUSTBEUSEDWHENRESTORINGTHEPASSWORDTHISISANEFFECTIVEANDUNCOMPLICATEDMETHODOFSTOPPINGSIMPLECAPTUREOFBACKUPDATAITDOESHOWEVERMEANTHATTHEPASSWORDMUSTBEREMEMBEREDCURRENTTRENDSTHEREAREANUMBEROFCURRENTTRENDSINITSECURITY,WITHANUMBEROFTHESEBEINGLINKEDTODATABASESECURITYTHEFOCUSONDATABASESECURITYISNOWATTRACTINGTHEATTENTIONOFTHEATTACKERSATTACKTOOLSARENOWAVAILABLEFOREXPLOITINGWEAKNESSESINSQLANDORACLETHEEMERGENCEOFTHESETOOLSHASRAISEDTHESTAKESANDWEHAVESEENFOCUSEDATTACKSAGAINSTSPECIFICDATABASEPORTSONSERVERSEXPOSEDTOTHEINTERNETONECOMMONTHEMERUNNINGTHROUGHTHESECURITYINDUSTRYISTHEFOCUSONAPPLICATIONSECURITY,ANDINPARTICULARBESPOKEWEBAPPLICATIONSWITHHEFUNCTIONALITYOFWEBAPPLICATIONSBECOMINGMOREANDMORECOMPLEX,ITBRINGSTHEPOTENTIALFORMORESECURITYWEAKNESSESINBESPOKEAPPLICATIONCODEINORDERTOFULFILLTHEFUNCTIONALITYOFAPPLICATIONS,THEBACKENDDATASTORESARECOMMONLYBEINGUSEDTOFORMATTHECONTENTOFWEBPAGESTHISREQUIRESMORECOMPLEXCODINGATTHEAPPLICATIONENDWITHDEVELOPERSUSINGDIFFERENTSTYLESINCODEDEVELOPMENT,SOMEOFWHICHARENOTASSECURITYCONSCIOUSASOTHER,THISCANBETHESOURCEOFEXPLOITABLEERRORSSQLINJECTIONISONESUCHHOTTOPICWITHINTHEITSECURITYINDUSTRYATTHEMOMENTDISCUSSIONSARENOWCOMMONPLACEAMONGTECHNICALSECURITYFORUMS,WITHMOREANDMOREWAYSANDMEANSOFEXPLOITINGDATABASESCOMINGTOLIGHTALLTHETIMESQLINJECTIONISAMISLEADINGTERM,ASTHECONCEPTAPPLIESTOOTHERDATABASES,INCLUDINGORACLE,DB2ANDSYBASEWHATISSQLINJECTIONSQLINJECTIONISSIMPLYTHEMETHODOFCOMMUNICATIONWITHADATABASEUSINGCODEORCOMMANDSSENTVIAAMETHODORAPPLICATIONNOTINTENDEDBYTHEDEVELOPERTHEMOSTCOMMONFORMOFTHISISFOUNDINWEBAPPLICATIONSANYUSERINPUTTHATISHANDLEDBYTHEAPPLICATIONISACOMMONSOURCEOFATTACKONESIMPLEEXAMPLEOFMISHANDLINGOFUSERINPUTISHIGHLIGHTEDINFIGURE1MANYOFYOUWILLHAVESEENTHISCOMMONERRORMESSAGEWHENACCESSINGWEBSITES,ANDOFTENINDICATESTHATTHEUSERINPUTHASNOTBEENCORRECTLYHANDLEDONGETTINGTHISTYPEOFERROR,ANATTACKERWILLFOCUSINWITHMORESPECIFICINPUTSTRINGSSPECIFICSECURITYRELATEDCODINGTECHNIQUESSHOULDBEADDEDTOCODINGSTANDARDINUSEWITHINYOURORGANIZATIONTHEDAMAGEDONEBYTHISTYPEOFVULNERABILITYCANBEFARREACHING,THOUGHTHISDEPENDSONTHELEVELOFPRIVILEGESTHEAPPLICATIONHASINRELATIONTOTHEDATABASEIFTHEAPPLICATIONISACCESSINGDATAWITHFULLADMINISTRATORTYPEPRIVILEGES,THENMALICIOUSLYRUNCOMMANDSWILLALSOPICKUPTHISLEVELOFACCESS,ANDSYSTEMCOMPROMISEISINEVITABLEAGAINTHISISSUEISANALOGOUSTOOPERATINGSYSTEMSECURITYPRINCIPLES,WHEREPROGRAMSSHOULDONLYBERUNWITHTHEMINIMUMOFPERMISSIONSTHATISREQUIREDIFNORMALUSERACCESSISACCEPTABLE,THENAPPLYTHISRESTRICTIONAGAINTHEPROBLEMOFSQLSECURITYISNOTTOTALLYADATABASEISSUESPECIFICDATABASECOMMANDORREQUESTSSHOULDNOTBEALLOWEDTOPASSTHROUGHTHEAPPLICATIONLAYERTHISCANBEPREVENTEDBYEMPLOYINGA“SECURECODING”APPROACHAGAINTHISISVEERINGOFFTOPIC,BUTITISWORTHDETAILINGAFEWBASICSTEPSTHATSHOULDBEEMPLOYEDTHEFIRSTSTEPINSECURINGANYAPPLICATIONSHOULDBETHEVALIDATIONANDCONTROLOFUSERINPUTSTRICTTYPINGSHOULDBEUSEDWHEREPOSSIBLETOCONTROLSPECIFICDATAEGIFNUMERICDATAISEXPECTED,ANDWHERESTRINGBASEDDATAISREQUIRED,SPECIFICNONALPHANUMERICCHARACTERSSHOULDBEPROHIBITEDWHEREPOSSIBLEWHERETHISCANNOTBEPERFORMED,CONSIDERATIONSHOULDBEMADETOTRYANDSUBSTITUTECHARACTERSFOREXAMPLETHEUSEOFSINGLEQUOTES,WHICHARECOMMONLYUSEDINSQLCOMMANDSSPECIFICSECURITYRELATEDCODINGTECHNIQUESSHOULDBEADDEDTOCODINGSTANDARDINUSEWITHINYOURORGANIZATIONIFALLDEVELOPERSAREUSINGTHESAMEBASELINESTANDARDS,WITHSPECIFICSECURITYMEASURES,THISWILLREDUCETHERISKOFSQLINJECTIONCOMPROMISESANOTHERSIMPLEMETHODTHATCANBEEMPLOYEDISTOREMOVEALLPROCEDURESWITHINTHEDATABASETHATARENOTREQUIREDTHISRESTRICTSTHEEXTENTTHATUNWANTEDORSUPERFLUOUSASPECTSOFTHEDATABASECOULDBEMALICIOUSLYUSEDTHISISANALOGOUSTOREMOVINGUNWANTEDSERVICESONANOPERATINGSYSTEM,WHICHISCOMMONSECURITYPRACTICEOVERALLINCONCLUSION,MOSTOFTHEPOINTSIHAVEMADEABOVEARECOMMONSENSESECURITYCONCEPTS,ANDARENOTSPECIFICTODATABASESHOWEVERALLOFTHESEPOINTSDOAPPLYTODATABASESANDIFTHESEBASICSECURITYMEASURESAREEMPLOYED,THESECURITYOFYOURDATABASEWILLBEGREATLYIMPROVEDTHENEXTARTICLEONDATABASESECURITYWILLFOCUSONSPECIFICSQLANDORACLESECURITYPROBLEMS,WITHDETAILEDEXAMPLESANDADVICEFORDBASANDDEVELOPERSTHEREAREALOTOFSIMILARITIESBETWEENDATABASESECURITYANDGENERALITSECURITY,WITHGENERICSIMPLESECURITYSTEPSANDMEASURESTHATCANBEANDSHOULDBEEASILYIMPLEMENTEDTODRAMATICALLYIMPROVESECURITYWHILETHESEMAYSEEMLIKECOMMONSENSE,ITISSURPRISINGHOWMANYTIMESWEHAVESEENTHATCOMMONSECURITYMEASURESARENOTIMPLEMENTEDANDSOCAUSEASECURITYEXPOSUREUSERACCOUNTANDPASSWORDSECURITYONEOFTHEBASICFIRSTPRINCIPALSINITSECURITYIS“MAKESUREYOUHAVEAGOODPASSWORD”WITHINTHISSTATEMENTIHAVEASSUMEDTHATAPASSWORDISSETINTHEFIRSTPLACE,THOUGHTHISISOFTENNOTTHECASEITOUCHEDONCOMMONSENSESECURITYINMYLASTARTICLE,BUTITHINKITISIMPORTANTTOHIGHLIGHTTHISAGAINASWITHOPERATINGSYSTEMS,THEFOCUSOFATTENTIONWITHINDATABASEACCOUNTSECURITYISAIMEDATADMINISTRATIONACCOUNTSWITHINSQLTHISWILLBETHESAACCOUNTANDWITHINORACLEITMAYBETHESYSDBAORORACLEACCOUNTITISVERYCOMMONFORSQLSAACCOUNTSTOHAVEAPASSWORDOFSAOREVENWORSEABLANKPASSWORD,WHICHISJUSTASCOMMONTHISPASSWORDLAZINESSBREAKSTHEMOSTBASICSECURITYPRINCIPALS,ANDSHOULDBESTAMPEDDOWNONUSERSWOULDNOTBEALLOWEDTOHAVEABLANKPASSWORDONTHEIROWNDOMAINACCOUNT,SOWHYSHOULDVALUABLESYSTEMRESOURCESSUCHASDATABASESBEALLOWEDTOBELEFTUNPROTECTEDFORINSTANCE,ABLANKSAPASSWORDWILLENABLEANYUSERWITHCLIENTSOFTWAREIEMICROSOFTQUERYANALYSERORENTERPRISEMANAGERTOMANAGETHESQLSERVERANDDATABASESWITHDATABASESBEINGUSEDASTHEBACKENDTOWEBAPPLICATIONS,THELACKOFPASSWORDCONTROLCANRESULTINATOTALCOMPROMISEOFSENSITIVEINFORMATIONWITHSYSTEMLEVELACCESSTOTHEDATABASEITISPOSSIBLENOTONLYTOEXECUTEQUERIESINTOTHEDATABASE,CREATE/MODIFY/DELETETABLESETC,BUTALSOTOEXECUTEWHATAREKNOWNASSTOREDPROCEDURES數(shù)據(jù)庫安全“為什么要確保數(shù)據(jù)庫服務(wù)安全呢任何人都不能訪問這是一個(gè)非軍事區(qū)的保護(hù)防火墻”，當(dāng)我們被建議使用一個(gè)帶有安全檢查機(jī)制的裝置時(shí)，這是通常的反應(yīng)。事實(shí)上，在防護(hù)一個(gè)組織的信息方面，數(shù)據(jù)庫的安全是至高無上的，因?yàn)樗赡軙?huì)間接接觸比我們意識(shí)到的更廣泛的用戶。這是兩篇研究數(shù)據(jù)庫安全文章中的第一篇。在這篇文章中我們將討論一般數(shù)據(jù)庫安全概念和和比較普遍的問題。在下篇文章，我們將把焦點(diǎn)放在特定的MICROSOFTSQL和ORACLE的安全關(guān)注上。近來數(shù)據(jù)庫安全已成為一個(gè)熱門話題。隨著越來越多的人關(guān)注計(jì)算機(jī)安全，我們發(fā)現(xiàn)，防火墻和網(wǎng)絡(luò)服務(wù)器比以前都更加安全化了（雖然這并不等于說現(xiàn)在不再有許多不安全的網(wǎng)絡(luò)存在）。因此，重點(diǎn)是加大對(duì)技術(shù)的考慮力度，譬如以更細(xì)膩的審查態(tài)度對(duì)待數(shù)據(jù)庫。一般安全意識(shí)在我們討論有關(guān)數(shù)據(jù)庫安全問題之前，確保底層操作系統(tǒng)和支撐技術(shù)的安全是審慎而且必要的。如果一個(gè)VANILLA操作系統(tǒng)無法為數(shù)據(jù)庫提供一個(gè)穩(wěn)妥可靠的安全基礎(chǔ)，花費(fèi)太多努力去確保數(shù)據(jù)庫安全是不值得的。當(dāng)安裝操作系統(tǒng)時(shí)，有許多好的文獻(xiàn)資料可以參考。經(jīng)常遇到的一個(gè)普遍問題，就是作為網(wǎng)絡(luò)服務(wù)器托管INTERNETORINTRANET的同一服務(wù)器上數(shù)據(jù)庫的應(yīng)用。雖然這可能節(jié)省的購買一個(gè)單獨(dú)的服務(wù)器費(fèi)用，但這嚴(yán)重影響了安全問題。如果這是確定的，當(dāng)數(shù)據(jù)庫開放地連接到互聯(lián)網(wǎng)這種情況被證實(shí)了。最近的一個(gè)例子，我記得是一個(gè)APACHE網(wǎng)絡(luò)服務(wù)器系統(tǒng)服務(wù)組織在互聯(lián)網(wǎng)上提供的，與ORACLE數(shù)據(jù)庫在互聯(lián)網(wǎng)上提供有關(guān)端口1521。在調(diào)查這個(gè)問題時(shí)進(jìn)一步被發(fā)現(xiàn)，訪問該ORACLE服務(wù)器是沒有服務(wù)器加以制止之類的保護(hù)措施的（包括缺乏密碼）。從互聯(lián)網(wǎng)發(fā)展前景看，這個(gè)數(shù)據(jù)庫是不被推崇的，但默認(rèn)設(shè)置的使用以及粗糙的安全措施，使服務(wù)器更加脆弱。上面提到的問題并不是嚴(yán)格地?cái)?shù)據(jù)庫問題，還可以被歸類為構(gòu)建機(jī)制和防火墻保護(hù)問題，但最終它確是數(shù)據(jù)庫，這是毫不妥協(xié)的。安全方面的考慮從面向網(wǎng)絡(luò)的各部分來看而被迫作出的。你不能依靠任何他人或任何別的事以保護(hù)你的數(shù)據(jù)庫安全。由于SQL和ORACLE開發(fā)的漏洞給攻擊工具一個(gè)得以使用的空間。我在最近為客戶做的一項(xiàng)安全評(píng)估中偶然發(fā)現(xiàn)一個(gè)數(shù)據(jù)庫安全方面的有趣的是。我們正在進(jìn)行對(duì)使用一個(gè)數(shù)據(jù)庫后端（SQL）以存放客戶端的細(xì)節(jié)的企業(yè)內(nèi)部應(yīng)用軟件的測(cè)試。安全審查過程進(jìn)展順利，訪問控制基于WINDOWS認(rèn)證。只有通過認(rèn)證的WINDOWS用戶能夠看到屬于他們的數(shù)據(jù)。這個(gè)應(yīng)用軟件本身好像對(duì)輸入要求進(jìn)行處理，拒絕直接進(jìn)入資料庫的所有嘗試。之后我們?cè)诠ぷ鞯霓k公室偶然發(fā)現(xiàn)一個(gè)該應(yīng)用軟件的備份。這個(gè)媒體裝有SQL數(shù)據(jù)庫的備份，這是我們重新存儲(chǔ)到筆記本電腦上的。所有安全控制均到那些原先并未恢復(fù)數(shù)據(jù)庫的位置上，而且我們能夠在適當(dāng)?shù)奈恢脽o任何限制地瀏覽完整的數(shù)據(jù)庫，以保護(hù)敏感的數(shù)據(jù)。這可能像是一種妥協(xié)的系統(tǒng)安全的方式，但確實(shí)是重要的。往往并不是采取直接的方法攻擊一個(gè)目標(biāo)，并且最終結(jié)果是相同的系統(tǒng)妥協(xié)。數(shù)據(jù)庫備份可以存儲(chǔ)在服務(wù)器上，從而有利于間接地訪問數(shù)據(jù)。以上問題有一個(gè)簡(jiǎn)單的辦法來解決。在SQL2000可以為備份設(shè)定使用密碼保護(hù)。如果備份使用了密碼保護(hù)，當(dāng)創(chuàng)建密碼時(shí)就必須使用密碼。這是一種有效而且不太復(fù)雜的方法阻止備份數(shù)據(jù)的簡(jiǎn)單捕獲。然而這意味著密碼必須記住當(dāng)前趨勢(shì)在IT安全方面有許多當(dāng)前趨勢(shì)，這些中的不少都與數(shù)據(jù)庫安全聯(lián)系起來。數(shù)據(jù)庫安全方面的焦點(diǎn)正吸引著攻擊者的注意力。由于SQL和ORACLE開發(fā)的漏洞給攻擊工具一個(gè)得以使用的空間。這些工具的出現(xiàn)提高了賭注，我們已經(jīng)看到，攻擊主要是針對(duì)服務(wù)器暴露到互聯(lián)網(wǎng)的特定數(shù)據(jù)庫端口。貫穿安全業(yè)的一個(gè)普遍問題是應(yīng)用軟件安全，特別是定制的WEB應(yīng)用程序。隨著WEB應(yīng)用程序的功能變得越來越復(fù)雜，它帶來了應(yīng)用程序編碼方面的安全漏洞的更大的潛在威脅。為了滿足應(yīng)用軟件的功能性要求，后端數(shù)據(jù)存儲(chǔ)通常被用來安排網(wǎng)頁內(nèi)容的格式。這就需要更復(fù)雜的后端數(shù)據(jù)編碼。開發(fā)者使用不同風(fēng)格的代碼開發(fā)，其中一部分沒有安全意識(shí)，這也許是開發(fā)錯(cuò)誤的源頭。SQL注入就是當(dāng)前IT安全業(yè)的一個(gè)熱門話題。隨著愈來愈多的以期縮短時(shí)間的開發(fā)數(shù)據(jù)庫的方式和手段的出現(xiàn)，目前在技術(shù)安全論壇中，爭(zhēng)論是很平常的。SQL注入是一個(gè)容易讓人誤導(dǎo)的術(shù)語，因?yàn)樵摳拍钜策m用于其他的數(shù)據(jù)庫，包括ORACLE，DB2和SYBASE系統(tǒng)。什么是SQL注入SQL注入的是軟件開發(fā)人員所不希望出現(xiàn)的與資料庫使用代碼或指令發(fā)送手段的交流方法。這是發(fā)現(xiàn)在WEB應(yīng)用軟件最常見的形式。任何用戶輸入應(yīng)用軟件所不允許的內(nèi)容是攻擊的一個(gè)常見來源。在座很多朋友已經(jīng)看到了當(dāng)訪問網(wǎng)站時(shí)通常的錯(cuò)誤消息框，而且往往顯示用戶輸入沒有得到正確處理。一旦出現(xiàn)這種類型的錯(cuò)誤，攻擊者將把焦點(diǎn)放在更具體的輸入字符串上。具體的與安全有關(guān)的編碼技術(shù)在使用組織時(shí)應(yīng)加入編碼標(biāo)準(zhǔn)。由于這種類型的脆弱性所造成的損害，可以很深刻的，盡管這會(huì)取決于該應(yīng)用軟件與數(shù)據(jù)庫關(guān)聯(lián)的特權(quán)級(jí)別。如果該軟件以管理者類型權(quán)限訪問數(shù)據(jù)，然后惡意運(yùn)行命令也會(huì)是這一級(jí)別的訪問權(quán)限，此時(shí)系統(tǒng)妥協(xié)是不可避免的。還有這個(gè)問題類似于操作系統(tǒng)的安全規(guī)則，在那里，項(xiàng)目應(yīng)該以最低的權(quán)限運(yùn)行，而且這是必要的。如果是正常的用戶訪問，然后啟用