王骏的博客
编程、网络技术点滴...

公告

逐渐将VC知识库的博客迁移到这里!

随笔分类

随笔档案

相册

最新评论

阅读排行榜

评论排行榜

程序员博客   首页  新随笔  订阅  管理  登录 
 
王骏的博客 阅读(2665) 评论(1)

首先要说的是程序员应该尽全力编写安全的代码,然后才是做一些安全防护。

urlscan.ini

RuleList=SQL Injection,SQL Injection Headers

[SQL Injection]
AppliesTo=.asp,.aspx
DenyDataSection=SQL Injection Strings
ScanUrl=0
ScanAllRaw=0
ScanQueryString=1
ScanHeaders=

[SQL Injection Strings]
--
%3b ; a semicolon
/*
@ ; also catches @@
char ; also catches nchar and varchar
alter
begin
cast
convert
cursor
declare
delete
drop
end
exec ; also catches execute
fetch
kill
open
select
sys ; also catches sysobjects and syscolumns
table

[SQL Injection Headers]
AppliesTo=.asp,.aspx
DenyDataSection=SQL Injection Headers Strings
ScanUrl=0
ScanAllRaw=0
ScanQueryString=0
ScanHeaders=Cookie

[SQL Injection Headers Strings]
--
@ ; also catches @@
alter
cast
convert
declare
delete
drop
exec ; also catches execute
fetch
insert
kill
select

参考资料:http://blogs.msdn.com/b/mike/archive/2008/10/15/how-to-configure-urlscan-3-0-to-mitigate-sql-injection-attacks.aspx


评论列表
Arina
There is a critical shortage of invtamroife articles like this.

发表评论
切换编辑模式