Bởi bây giờ có một số hướng dẫn tiêm SQL tốt cho các nhà phát triển ứng dụng, chẳng hạn như sau: Tất cả các dữ liệu nhập vào bởi người sử dụng cần phải được làm vệ sinh của bất kỳ ký tự hoặc chuỗi không phải là một phần của biểu thức đầu vào, và tất cả các lĩnh vực đầu vào phải được xác nhận. | 7 Using the Database To Do Too Much For many years Sun s tagline was the network is the computer. Looking at some of the latest database products you can t help but wonder if the vendors think that the database is the computer. Well it s not and it should not be used as such. The database is not an operating system. It is not a Web server. It is not an application server. It is not a Web services provider. It is a database and managing data is hard enough. In this chapter you ll see many of the advanced features that databases have today features that allow you to call functions deployed on the operating system through the databases to call stored procedures using a Web interface and more. These functions will become increasingly mainstream even though from a security perspective they introduce additional problems and complexities. The goal of this chapter is to make you aware of potential risks convince you to stay away from some of the more dangerous ones and give you enough information so that if you decide to enable these features anyway you will pay more attention to the security aspects of these features. Don t use external procedures All databases have a query language and a procedural language well almost all of them MySQL before version 5 actually doesn t have the latter . Each of the procedural languages of the main database servers is highly functional and robust. In addition all of the databases have a large set of built-in procedures that you can use when writing programs. However the database vendors often go an extra step and provide you with mechanisms for invoking functions that reside outside the database runtime. This can cause many problems that are related to elevated privileges as you ll see in the next few sections. _ 203 204 Don t use external procedures Disable Windows extended stored procedures Extended stored procedures are DLLs that .