Today is the first weekend of the new year, yesterday, Wang Gan did not give him a movie. The result was passed to 2 points to go back to rest at night, so I slept in the morning this morning, sleep. It's quite comfortable. However, we have spent a little wasting time in the sleep, and it has been wasteful for the last half of the last half of the year, no matter how it doesn't matter, it is a regret for a lifetime.
Yesterday, I went to a quiet flower to cheat, I saw it, and this community was established for more than a year. At the same time, there were more than 80 people, so I registered an account, making money, this revision The more embarrassment, only a few times, earned 9 digits, and more than one person in the most people in the wealth of wealth. Then I bought something in the community's store, only hundreds of thousands of money, so maybe it is not easy to find some! Later, I carefully think about the original website, I can directly get the control of the machine, now I can have any SQL statement, but the data server and the web server are not the same, and the database server is In the inside network, this can be more difficult, and later I wanted for a long way to think of it, I had to make a good job. If the data server and the web server are one, and the SQL statement has sufficient permissions, then everything can be done.
Summary, fill the loopholes of the website:
1) If you use Java, try to use PreparedStatement instead of directly executing the SQL statement directly, you must preach for each parameter; if it is ASP, the same rule, each input parameter, no matter whether the source Where is it, it is necessary to preprocess.
2) The user permission to connect the database cannot be too high, and it cannot be connected with the SA.
3) The web server is preferably separated from the data server, and the data server is in the inside.
4) All legitimacy of all input data must not only be judged at the front desk, but also must be judged in the background.
5) If there is a place to last, it must be restricted to the file type.
6) The server must remember to make all the patches.
7) It is best to use a loopholes to scan for scanning tools before using the server, and the problem is found in time.
8) Server password, database password must be complex, preferably 20 or more numbers letter symbol composition
9) The website has not been related after the website must remember to delete, especially the source code file edited with the UE will automatically generate a Bak file, and if others are accessible, they will directly expose the source code, or sometimes to send play. Files such as compressed packs must also be deleted.
The general thing temporarily only thinks so much, and later think of adding.
