【摘要】：隨著B/S模式應(yīng)用技術(shù)的迅猛發(fā)展以及數(shù)據(jù)庫(kù)在Web中的廣泛應(yīng)用,SQL注入逐漸成為了黑客對(duì)數(shù)據(jù)庫(kù)進(jìn)行攻擊的最常用的手段之一。但是由于B/S模式的程序開發(fā)人員水平參差不齊,導(dǎo)致相當(dāng)數(shù)量的編程人員在程序開發(fā)的時(shí)候,并沒有充分的考慮對(duì)用戶輸入的數(shù)據(jù)進(jìn)行合法性驗(yàn)證的問(wèn)題,使得應(yīng)用存在嚴(yán)重的安全隱患。因此,基于SQL注入漏洞的數(shù)據(jù)安全問(wèn)題就有著重要的研究意義。 首先,論文對(duì)現(xiàn)今SQL注入研究領(lǐng)域的國(guó)內(nèi)外研究現(xiàn)狀及技術(shù)發(fā)展趨勢(shì)進(jìn)行了分析。闡述了SQL注入的相關(guān)原理,并對(duì)目前SQL注入的關(guān)鍵技術(shù)、基本原理進(jìn)行了簡(jiǎn)要的歸結(jié)和分析,逐一的分析了SQL注入式攻擊的常用攻擊方法,同時(shí)對(duì)SQL注入掃描技術(shù)和注入檢測(cè)技術(shù)進(jìn)行剖析和研究。 其次,論文詳盡闡述了網(wǎng)絡(luò)爬蟲的工作機(jī)理及技術(shù)特點(diǎn),對(duì)網(wǎng)絡(luò)爬蟲需要提取的URL存在的幾種形態(tài)進(jìn)行具體分析,并在此基礎(chǔ)上分析和研究了DOM樹生成技術(shù)、頁(yè)面控件綁定事件技術(shù)、字典猜測(cè)、被動(dòng)分析、利用搜索引擎等幾種技術(shù)。然后,論文對(duì)在oracle數(shù)據(jù)庫(kù)中SQL注入技術(shù)進(jìn)行詳細(xì)的分析和研究,其中主要囊括了針對(duì)oracle數(shù)據(jù)庫(kù)SQL注入的相關(guān)知識(shí)、查詢的語(yǔ)句、執(zhí)行系統(tǒng)命令、讀寫文件等研究?jī)?nèi)容。 最后,課題對(duì)SQL注入的防御技術(shù)進(jìn)行了研究,提出幾種防御方法并闡述了每種防御方法適合的情況。本課題構(gòu)建了一個(gè)基于SQL注入的數(shù)據(jù)安全系統(tǒng),并在論文中給出了課題的系統(tǒng)功能模塊劃分和功能模塊的運(yùn)行示例,并通過(guò)對(duì)實(shí)際網(wǎng)站的檢測(cè)初步驗(yàn)證了其實(shí)效性。
[Abstract]:With the rapid development of the application technology of B / S mode and the wide application of database in Web, SQL injection has gradually become one of the most commonly used methods for hackers to attack the database. However, due to the uneven level of program developers in the B / S mode, a considerable number of programmers did not fully consider the issue of validating the validity of the data entered by the user when developing the program. Make the application exist serious security hidden trouble. Therefore, the data security problem based on SQL injection vulnerability is of great significance. First of all, this paper analyzes the current research situation and technology development trend of SQL injection research at home and abroad. This paper expounds the relevant principles of SQL injection, and briefly analyzes the key technologies and basic principles of SQL injection, and analyzes the common attack methods of SQL injection attack one by one. At the same time, the SQL injection scanning technology and injection detection technology are analyzed and studied. Secondly, the working mechanism and technical characteristics of web crawlers are described in detail, and several forms of URL that need to be extracted from web crawlers are analyzed in detail. On this basis, the technology of DOM tree generation is analyzed and studied. Page control binding event technology, dictionary guesses, passive analysis, use search engine and other technologies. Then, the paper makes a detailed analysis and research on the technology of SQL injection in oracle database, which mainly includes the related knowledge of oracle database SQL injection, query statements, executing system commands, reading and writing files and so on. Finally, the defense technology of SQL injection is studied, several defense methods are put forward and the suitable conditions of each defense method are expounded. In this paper, a data security system based on SQL injection is constructed, and the partition of the system function module and the running example of the function module are given in this paper, and the effectiveness of the system is preliminarily verified by the testing of the actual website.
【學(xué)位授予單位】：沈陽(yáng)工業(yè)大學(xué)
【學(xué)位級(jí)別】：碩士
【學(xué)位授予年份】：2012
【分類號(hào)】：TP309

【參考文獻(xiàn)】

相關(guān)期刊論文 前10條

1 陳崗,史長(zhǎng)瓊,馬淑萍;基于SQL攻擊的SQL Server安全性研究[J];長(zhǎng)沙交通學(xué)院學(xué)報(bào);2005年01期

2 吳定剛;ASP.NET應(yīng)用中的“SQL注入”及解決方案[J];電腦知識(shí)與技術(shù);2005年18期

3 馬海濱;臧衛(wèi)華;李晨;周明姬;;SQL注入的危害、檢測(cè)及防范[J];電腦知識(shí)與技術(shù)(學(xué)術(shù)交流);2007年11期

4 劉帥;;SQL注入攻擊及其防范檢測(cè)技術(shù)的研究[J];電腦知識(shí)與技術(shù);2009年28期

5 陳熔;;基于SQL Server數(shù)據(jù)庫(kù)安全性的研究[J];福建電腦;2006年11期

6 宋利榮;羅文興;;淺談SQL Server安全系統(tǒng)的改進(jìn)[J];黔東南民族師范高等�？茖W(xué)校學(xué)報(bào);2006年06期

7 李超;;SQL SERVER 2000的安全機(jī)制[J];中國(guó)輕工教育;2006年01期

8 曾瑞;;SQL Injection和CSS Hole入侵解決方案研究[J];太原師范學(xué)院學(xué)報(bào)(自然科學(xué)版);2005年04期

9 王玉國(guó),李啟鵬;SQL Server的安全機(jī)制分析及實(shí)現(xiàn)建議[J];通化師范學(xué)院學(xué)報(bào);2004年10期

10 陳楠 ,薛質(zhì);SQL注入攻擊的實(shí)現(xiàn)和防范[J];信息安全與通信保密;2005年01期

相關(guān)碩士學(xué)位論文 前2條

1 張卓;SQL注入攻擊技術(shù)及防范措施研究[D];上海交通大學(xué);2007年

2 李小花;基于程序分析的SQL注入防御系統(tǒng)的設(shè)計(jì)與實(shí)現(xiàn)[D];湖南大學(xué);2010年

，

本文編號(hào)：2265486