关于网站和数据库安全的论文 - 需要一些指导
我现在正在写大学最后一年的论文。我需要研究的领域之一是网站和数据库的安全性。我目前有以下部分:
- 网站
- 表单安全性 - 例如数据验证。本节更多地是关于尽可能防止合法用户犯下的错误,而不是阻止黑客,例如将字段与正则表达式进行比较,并就确实发生的任何错误向他们提供有意义的反馈,以阻止其再次发生。
- 限制。例如,如果值必须为 true 或 false,则使用复选框。如果它可能是多个值之一,则使用下拉列表或一组单选框,等等。如果值不可预测,则使用正则表达式来限制允许输入的字符,并限制字符串的长度,有时还限制格式(例如日期/时间、邮政编码等)。< /里>
- 有时您可以限制表单的权限。这是在您确切知道谁(无论是一个人的名字还是一群人 - 例如管理员或员工)将需要访问该表单的情况下。限制权限将阻止公众访问该表单。
- 应过滤掉可能被恶意使用或导致网站出现错误行为的符号或字符串(例如脚本标记)或进行 HTML 编码。
- 验证码图像可用于阻止自动化系统填写和提交表单。
- 存在一些文件上传技巧(例如使用双扩展名),这可能会允许黑客上传恶意文件。
- 数据库(这还远未完成,但我计划的部分列在下面)
- SQL 语句与存储过程
- 当其中一个变量包含特定字符或字符组时抛出错误(我不记得它们是什么字符,但我在尝试在文本中输入 html 或其他内容之前看到过一条向我返回的消息区)。
- SQL 注入 - 及其解决方法,以及一些示例。
有没有人有任何提示和技巧,告诉我可以在哪里获取有关这些领域或我可以涵盖的其他安全领域的一些体面、可靠的信息?
提前致谢。
此致,
理查德
PS 在安全方面我是一个完全的新手,所以请耐心等待。如果我写下的任何信息是错误的或可以细分的,请随时指出。
I am on my dissertation in my final year at university at the moment. One of the areas I need to research is security - for both websites and for databases. I currently have sections on the following:
- Website
- Form security - such as data validation. This section is more about preventing errors made by legitimate users as much as possible rather than stopping hackers, for example comparing a field to a regular expression and giving them meaningful feedback on any errors which did occur so as to stop it happening again.
- Constraints. For example if a value must be true or false then use a checkbox. If it is likely to be one of several values then use a dropdown or a set of radio boxes, and so on. If the value is unpredictable then use regular expressions to limit what characters they are allowed to enter, and to restrict the length of the string, and sometimes to limit the format (such as for dates / times, post codes and so on).
- Sometimes you can limit permissions to the form. This is on the occasion that you know exactly who (whether it be peoples names or a group of people - such as administrators or employees) is going to need access to the form. Restricting permissions will stop members of the public from being able to access the form.
- Symbols or strings which could be used maliciously or cause the website to act incorrectly (such as the script tag) should be filtered out or html encoded.
- Captcha images can be used to prevent automated systems from filling in and submitting the form.
- There are some hacks for file uploads - such as using double extensions - which can allow hackers to upload malicious files.
- Databases (this is nowhere near done yet but the sections I have planned are listed below)
- SQL statements vs stored procedures
- Throwing an error when one of the variables contains particular characters or groups of characters (I cant remember what characters they are, but I have seen a message thrown back at me before where I have tried to enter html or something into a text area).
- SQL Injection - and ways around it, with some examples.
Does anyone have any hints and tips on where I could go for some decent, reliable information either about these areas or about other areas of security that I could cover?
Thanks in advance.
Regards,
Richard
PS I am a complete newbie when it comes to security, so please be patient with me. If any of the information I have put down is wrong or could be sub-sectioned then please feel free to say so.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
为了让您开始了解网站安全,我建议您浏览以下来源 -
两者都列出了最常见的编程错误,并将让您在该领域处于领先地位。
To get you started on website security, I recommend you go through the following sources -
Both list the top programming errors, and will give you a head-start in this field.