1、畢業(yè)設計外文資料翻譯學 院： 專業(yè)班級： 學生姓名： 學 號： 指導教師： 外文出處：(外文) HYPERLINK /science/article/pii/S1877705811022764 Xue Ping Chen, Procedia Engineering J , Elsevier , HYPERLINK /science/journal/18777058/15/supp/C o Go to table of contents for this volume/issue Volume 15 2011, 4131 4135 附 件：1.外文資料翻譯譯文； 2.外文原文 指導教師評語：基本

2、符合翻譯要求。簽名： 年 月 日1外文資料翻譯譯文SQL注入攻擊與防范技術的研究摘要由于嚴格的各種Web服務器的漏洞和程序導致對攻擊Web服務器腳本正在增加，其大多是通過ASP或PHP腳本注入等作為主要攻擊手段，再加上網(wǎng)站今天的快速擴張的基礎上，無論是SQL注入也慢慢成為主流方式。攻擊SQL注入是利用插入有害字符攻擊技術。使用程序員的用戶輸入數(shù)據(jù)的合法性檢測不嚴格或不檢測特性的攻擊者，故意在從客戶端不同的方式提交特殊的代碼來處理數(shù)據(jù)，從而收集程序和服務器的信息，獲得所需的信息。本文簡要介紹了SOL注入攻擊和原理，以及SQL注入攻擊的實現(xiàn)過程的概念，并在此基礎上介紹了如何檢測SQL注入攻擊，總結

3、了一般的SQL注入攻擊的預防方法。而ASP網(wǎng)站平臺系統(tǒng)注入攻擊防范技術的實例進行分析，使防止SQL注入技術的網(wǎng)絡安全系統(tǒng)的實際應用起到了更好，更有效地抵御黑客和其他惡意破壞。介紹隨著互聯(lián)網(wǎng)的普及和網(wǎng)絡的迅速發(fā)展，網(wǎng)絡應用不僅提高了企業(yè)的工作效率，而且增強了企業(yè)的市場競爭力。網(wǎng)絡平臺具有靈活、高效、低成本等信息優(yōu)勢，大大提高了相關部門的工作效率，促進了企業(yè)的實際業(yè)務的全面發(fā)展，增強了部門和外部世界的交流、服務和互動。我國的計算機行業(yè)經過十多年的發(fā)展，國家產業(yè)生產管理系統(tǒng)，都是基于互聯(lián)網(wǎng)的體系結構，在國內的國防工程、政府辦公、金融體系、網(wǎng)絡游戲、網(wǎng)絡銀行、網(wǎng)絡交易等，都離不開網(wǎng)絡。今天的互聯(lián)網(wǎng)已經

4、成為生活中不可缺少的一部分。如何有效地保證網(wǎng)絡的穩(wěn)定和安全運行是一個重要的課題，也是各種網(wǎng)絡管理者們頭痛的問題。SQL注入的背景和網(wǎng)絡環(huán)境由于各種Web服務器的漏洞和不嚴格程序、Web服務器端腳本攻擊的原因是增加的，其大多是通過ASP或PHP腳本注入等作為主要的攻擊手段，加上網(wǎng)站的數(shù)量發(fā)展迅速，基于SQL注入攻擊已經成為攻擊的主流，而Web服務器編譯過程中普遍存在的編劇忽視程序代碼安全檢測的現(xiàn)象，致使大量的Web服務器提供交互操作的漏洞，包括至少70%的網(wǎng)站存在SQL注入，惡意用戶的缺陷可以用服務器、數(shù)據(jù)庫配置和非法語句通過程序精細結構的缺陷或腳本入侵服務器獲取網(wǎng)站管理員權限，并獲取相關數(shù)據(jù)庫

5、內容，嚴重的還可以獲得整個服務器的連接系統(tǒng)信息，并存在不僅嚴重威脅到信息從數(shù)據(jù)庫，甚至威脅系統(tǒng)和用戶本身。網(wǎng)絡安全狀況隨著網(wǎng)絡應用的不斷深入，互聯(lián)網(wǎng)網(wǎng)站數(shù)量以驚人的速度增長。無論是政府部門、企業(yè)和各類管理機構，通過網(wǎng)站建立各種信息平臺，為各種業(yè)務應用。網(wǎng)站是信息發(fā)布中心，它的數(shù)據(jù)庫對存儲有大量的用戶共享的重要信息和材料。因此，保證網(wǎng)站的正常運行，安全是網(wǎng)站建設和運營過程中應充分考慮的重要問題。雖然互聯(lián)網(wǎng)應用規(guī)模迅速發(fā)展，但網(wǎng)絡環(huán)境的復雜性、信息系統(tǒng)、脆弱性的變異性，決定了現(xiàn)有的計算機系統(tǒng)還沒有與自身應用開發(fā)規(guī)模的相應的安全防護能力，大量的網(wǎng)絡威脅使用各種隱藏方式不斷沖擊網(wǎng)絡應用平臺。網(wǎng)絡安全問

6、題并沒有體現(xiàn)在信息技術層面，在實際的社會活動中，威脅產生的巨大利益驅動。網(wǎng)站未經授權的訪問Internet是一個開放的、無控制機構的網(wǎng)絡，在基于TCP/IP協(xié)議的Internet協(xié)議的家庭擁有開放的好地方顯示各種計算機網(wǎng)絡的互聯(lián)，直接促進了互聯(lián)網(wǎng)技術的快速發(fā)展。但在早期的網(wǎng)絡協(xié)議設計中忽視了安全性，導致互聯(lián)網(wǎng)在使用和管理上的混亂，并逐漸使互聯(lián)網(wǎng)本身的安全和安全受到了威脅。黑客（黑客）經常有機會侵入網(wǎng)絡中的計算機系統(tǒng)，或竊取機密數(shù)據(jù)和盜竊的特權，或破壞重要數(shù)據(jù)，或使系統(tǒng)功能沒有充分發(fā)揮直至癱瘓。網(wǎng)站未經授權訪問網(wǎng)絡安全將是致命的，其危害程度是最大的。系統(tǒng)密碼簡單、短、操作系統(tǒng)的各種漏洞、各種應用

7、軟件缺陷、默認共享文件夾、大量的網(wǎng)絡應用服務、安全等級設置太低，為黑客非法入侵提供了方便。信息安全管理包括實物保護和保護的應用。物理防護所指的網(wǎng)絡中的信息，在物理環(huán)境中安裝的物理屏障，防止物理線路的電磁信號竊聽。在網(wǎng)絡管理中心，重要的數(shù)據(jù)交換和數(shù)據(jù)存儲場所，根據(jù)保密建設要求，并設置標準，相對獨立的網(wǎng)絡交換中心和重要的開關節(jié)點，采取防靜電接地，物理屏蔽或防止電磁干擾等措施來抑制電磁輻射信號的數(shù)據(jù)交換，從而實現(xiàn)了對信息的擴散和阻止是非法竊聽。應用保護是指電子信息系統(tǒng)在各個環(huán)節(jié)中的應用。目前在網(wǎng)絡服務器上以電子信息存儲在數(shù)據(jù)庫中的大多數(shù)計算機，針對各種網(wǎng)絡應用的要求，計算機存儲和傳輸和處理電子信息，

8、還沒有像傳統(tǒng)的電子郵件通信那樣的信封保護和簽名。信息的來源是真實的，是否是內容，以及是否泄漏的變化等方面的管理安全問題。網(wǎng)絡病毒傳播隨著網(wǎng)絡規(guī)模的擴大，計算機網(wǎng)絡病毒對網(wǎng)站的威脅更大的作用。網(wǎng)絡病毒在互聯(lián)網(wǎng)上的傳播非常迅速，它的危害是巨大的。介紹了SQL注入的網(wǎng)絡環(huán)境溶膠-服務器系統(tǒng)是注入攻擊獲取敏感信息，服務器系統(tǒng)的主要來源，也進入連接的跳板。微軟公司是一個綜合性的數(shù)據(jù)庫管理系統(tǒng)平臺，集成各種工具，可以提供用戶級、企業(yè)級的數(shù)據(jù)管理。SQL Server服務器上運行是公認最好的數(shù)據(jù)庫平臺Windows。它具有對稱多處理器結構，先發(fā)制人的多任務管理，完善的容錯和恢復能力。SQL Server服務

9、器是一個范圍廣泛的企業(yè)客戶和獨立軟件供應商創(chuàng)建商業(yè)應用特殊設計的C/S（客戶端/服務器）的數(shù)據(jù)管理平臺，無論是在數(shù)據(jù)庫結構、使用方法和數(shù)據(jù)管理模式，充分體現(xiàn)了方便用戶和滿足用戶需求特點。同時利用安全漏洞注入攻擊是從滿足用戶需求、結構和功能，如惡意攻擊者提供了方便的調用內部函數(shù)進行潛在的操作系統(tǒng)。SQL注入攻擊技術分析隨著客戶/服務器（客戶機/服務器）模式的發(fā)展，使用這種技術編寫的網(wǎng)絡應用將越來越多。作為現(xiàn)在企業(yè)和個人信息交流的主要媒體接入的任何人員都是可用的，加上由于當前網(wǎng)絡程序員安全意識不平衡，相當部分的服務器代碼不考慮輸入信息安全過濾器，使網(wǎng)絡服務器和數(shù)據(jù)庫服務器程序存在嚴重的安全隱患，惡

10、意用戶可以使用此服務器前端和后端控制權限，通過客戶端瀏覽器提交精心構造畸形語句，服務器交互分析處理，達到攻擊的目的。預防的方法使用參數(shù)化的定植語句要防御SQL注入，用戶的輸入是絕對不能直接被嵌入的SQL語句。相反，該用戶輸入必須過濾，或使用參數(shù)化語句。參數(shù)化的語句，而不是使用參數(shù)，用戶輸入的語句。在大多數(shù)情況下，該SQL語句是固定的。然后，用戶輸入將是有限的，以一個參數(shù)。結論 在本文中，SOL注入攻擊的方法，原理和攻擊實施過程進行了探討，并總結在本文中，由于SQL注入攻擊的編程漏洞的應用程序的開發(fā)過程，因此對于絕大多數(shù)防火墻來講，這種攻擊可以繞過。雖然數(shù)據(jù)庫服務器版本已經更新，各種腳本語言本身

11、較少的弱點，但隨著SOL注入技術的不斷提高，只要Web應用系統(tǒng)或源在這樣的漏洞依然存在，會潛伏這一問題，尤其是當SOL注入攻擊與其他一些攻擊工具與，服務器和系統(tǒng)巨大的威脅。因此，研究SQL注入攻擊的預防方法，注重SOL Server配置的安全性，增強的代碼用戶輸入的信息進行過濾檢查，以開發(fā)安全的Web應用具有重要意義。隨著網(wǎng)絡安全技術的發(fā)展，還需要SQL注入攻擊技術做進一步的研究，由于SQL注入技術相當靈活，在注入時會碰到很多意想不到的情況。因此，在設置Web服務器來統(tǒng)籌考慮主機和系統(tǒng)的安全性，設置服務器和數(shù)據(jù)庫安全選項，完成代碼的安全檢查工作，這樣我們就可以做，以避免這種情況，最大程度地實現(xiàn)

12、網(wǎng)絡安全。外文原文Abstract Due to the various Web server vulnerabilities and procedure of the rigor leads to a Web server script for attacks was increasing, its are mostly through the ASP or PHP scripting injection such as a major attack means, plus Web site rapid expansion of today, based on both the SQL in

13、jection also slowly become the mainstream way. Attack SQL injection is to use the insert harmful character attack technology. The attacker using programmers to user input data legitimacy detection not strictly or not detection characteristics, deliberately in a different way from client submit speci

14、al code to manipulate data, thus collection procedures and server information, obtain the desired information. This paper briefly introduces the concept of SOL injection attack and principle, and the realization process of SQL injection attack, and on this basis describes how to detect SQL injection

15、 attack, summarizes the general SQL injection attack prevention methods. And the ASP website platform system injection attack prevention technology examples are analyzed, make prevent SQL injection technology in the practical application of web security system plays a better, more effectively resist

16、 hackers and other malicious damage.Introduction With the spread of the Internet and the WEBs rapid development, WEB applications not only improved the efficiency of work and enterprise strengthens the enterprise market competitiveness. Web platform have flexible, efficient, low cost and other infor

17、mation superiority has greatly improved the related department work efficiency, and promote the actual business thorough development, enhance the department and the outside world exchange, service and interaction. Our countrys computer industry after more than ten years of development, the national

18、industry production management system, are based on the Internet architecture, in the countrys defense engineering, government office, financial systems, to network games, online banking, network transactions, is inseparable from the network. Todays Internet has become the indispensable part in life

19、. How to effectively ensure network stability and safety operation is an important topic, also is the various network managers have a headache problem. Sql Injection Background And Network Environment Because of various Web server vulnerabilities and procedure of not strict, the cause for Web server

20、 script attacks was increasing, its are mostly through the ASP or PHP scripting injection such as a major attack means, plus Web station quantity development is rapid, based on SQL injection attack has become the mainstream of the attack, while the Web server compilation process prevalent the script

21、writer ignore program code safety testing phenomenon, resulting in a large number of providing interactive operation loopholes in the Web server, including at least 70% of SQL injection site exists, the defects of malicious users can use the server, database configuration the defects and elaborate s

22、tructure of illegal statements through programs or scripts invading server obtain website administrator permissions and obtain the relevant database content, serious still can obtain the whole server where the connection system information, and exist not only a serious threat to information from a d

23、atabase, and even threat systems and users itself.Web Security Situation With the deepening of the network applications, the Internet website quantity with amazing speed increase. Whether government departments, enterprises and various management agencies, through the website to establish various in

24、formation platform for various business applications. Website is information release center, its database to store has a large amount of for users to share the important information and materials. Therefore, to ensure the normal operation of the web site, the security is website construction and ope

25、ration process should be fully considered important issues. Although the Internet application scale developed rapidly, but the complexity of the network environment, and information system, variability of vulnerability, decide the existing computer system still does not have with own application dev

26、elopment scale of corresponding security protection ability, a large number of online threats USES all sorts of hidden way constantly pounding network application platform. Network security problems are not reflected in the technical level of information counter, in actual social activities, threat

27、generated more from the huge interest drive. website unauthorized access Internet is an open, no control agency network, based on TCP/IP protocol Internet protocol families own open great place show various computer networking and interconnection and directly, and promoted the rapid development of I

28、nternet technology. But as in the early network protocol design neglect the safety, cause Internet in use and management of chaos, and gradually make the Internet itself of safety and security has been threatened. Hackers (Hacker) often get the chance to intrude into the computer on the network syst

29、em, or stolen confidential data and theft privilege, or destroy the important data, or make the system function not fully exert until paralysis. Website unauthorized access to web security will be fatal, and its harm degree is the largest. System password simple and short, operating system of variou

30、s vulnerabilities, various applications software defect, the default Shared folder, a large number of network application service of opening, safety level set too low for hackers illegal invasion will offer a rmation security management Information security management including physical protection a

31、nd application of protection. Physical protection referred for information in network of physical equipment installed in the physical environment barriers, prevent from physical lines of electromagnetic signals eavesdropping. In network management center, important data exchange and data storage pla

32、ce, according to confidential construction requirements, and set up standard, relatively independent network exchange center and important switching nodes, adopt anti-static grounding, physical shield or preventing electromagnetic interference and other measures to restrain data exchange of electrom

33、agnetic radiation signals, thus achieved the diffusion and prevent information was illegally physical eavesdropping. Application protection refers to the electronic information system in the application of various links shielding. At present in the Web server on electronic information stored in the

34、database most in computer, in response to various Web application requirement, the computer storage and transmission and processing of electronic information, not yet as traditional email communication as the envelope protection and signature. Sources of information are true or not, and whether to b

35、e content, as well as whether leak changes etc. Are all aspects of management safety problems. (3) of network virus spreadWith the expanding of network size, computer network virus to site the threat of a bigger role. Network virus spread on the Internet very fast, and its harm is enormous. Sql Inje

36、ction Network Environment Is Introduced SOL Server system is injection attack obtain sensitive information, the major source of Server system and also into the connection diving-board. SOL Server Server is Microsoft company makes a comprehensive database management system platform, the integration o

37、f various tools and can provide user level, of enterprise-level data management. SQL Server Server is recognized run on Windows on the platform of the best database. It has a symmetric multiprocessor structure, pre-emptive multitasking management, perfecting the fault tolerant and restore ability. S

38、QL Server Server is to a wide range of corporate clients and creating commercial application independent software vendors special design of C/S (client/Server) data management platform, whether in database structure, using methods and data management mode, fully embodies the convenience of customers

39、 and meet the needs of the user characteristics. Injection attack using security vulnerabilities are also much from these meet the needs of the user, structure and function, such as internal function calls for the convenience of malicious attackers are provided -ried the potential operating system.

40、Sql Injection Attack Technical Analysis With C/S (client/server) model development, use this technique writing web applications will be more and more. Web server as now enterprise and individual information exchange, the main media access to any of the personnel are available to the general public,

41、plus due to current network programmers safety consciousness is uneven, quite part of server code without considering the input information security filters, make the Web server and database server program there are serious security hidden danger, a malicious user can use this to obtain server front

42、-end and back-end control privileges, injection attack is held the present server exist interactive interfaces characteristics, through the client browser submit carefully constructed deformity statement, a server interaction analytical processing to achieve the purpose of attack.Preventive MethodsT

43、he use of parameterized lactobacillus colonisation statement To defense SQL injection, user input is absolutely cannot directly to be embedded SQL statements. On the contrary, the user input must be filtered, or use of parameterized statement. Parametric statements and not use parameters user input into the statement. In most cases, the SQL statement was fixed. Then, the user input will be limited to a parameter. Conclusion In