【正文】 c securityrelated coding techniques should be added to coding standard in use within your anization. The damage done by this type of vulnerability can be far reaching, though this depends on the level of privileges the application has in relation to the the application is accessing data with full administrator type privileges, then maliciously run mands will also pick up this level of access, and system promise is inevitable. Again this issue is analogous to operating system security principles, where programs should only be run with the minimum of permissions that is required. If normal user access is acceptable, then apply this restriction. Again the problem of SQL security is not totally a database issue. Specific database mand or requests should not be allowed to pass through the application layer. This can be prevented by employing a “secure coding” approach. Again this is veering offtopic, but it is worth detailing a few basic steps that should be employed. The first step in securing any application should be the validation and control of user input. Strict typing should be used where possible to control specific data (. if numeric data is expected), and where string based data is required, specific non alphanumeric characters should be prohibited where possible. Where this cannot be performed, consideration should be made to try and substitute characters (for example the use of single quotes, which are monly used in SQL mands). Specific securityrelated coding techniques should be added to coding standard in use within your anization. If all developers are using the same baseline standards, with specific security measures, this will reduce the risk of SQL injection promises. Another simple method that can be employed is to remove all procedures within the database that are not required. This restricts the extent that unwanted or superfluous aspects of the database could be maliciously used. This is analogous to removing unwanted services on an operating system, which is mon security practice. ◆ Overall In conclusion, most of the points I have made above are mon sense security concepts, and are not specific to databases. However all of these points DO apply to databases and if these basic security measures are employed, the security of your database will be greatly improved. The next article on database security will focus on specific SQL and Oracle security problems, with detailed examples and advice for DBAs and developers. There are a lot of similarities between database security and general IT security, with generic simple security steps and measures that can be (and should be) easily implemented to dramatically improve security. While these may seem like mon sense, it is surprising how many times we have seen that mon security measures are not implemented and so cause a security exposure. 共 9 頁 第 8 頁 ◆ User account and password security One of the basic first principals in IT security is “make sure you have a good password”. Within this statement I have assumed that a passwo