http://blogs.msdn.com/jchiou/archive/tags/patterns+_2600_amp_3B00_+practices/default.aspxTags: patterns &amp; practicesen-USCommunityServer 2.1 SP1 (Build: 61025.2)http://blogs.msdn.com/jchiou/archive/2008/05/26/sql-injection.aspxMon, 26 May 2008 11:01:39 GMT91d46819-8472-40ad-a661-2c78acb4018c:8552068jchiou3http://blogs.msdn.com/jchiou/comments/8552068.aspxhttp://blogs.msdn.com/jchiou/commentrss.aspx?PostID=8552068<p><b><u>SQL Injection(</u></b><b><u>資料隱碼)攻擊行為簡介</u></b></p> <blockquote> <p>以下是此類攻擊的流程</p> </blockquote> <blockquote> <p>1. 駭客運用搜尋引擎尋找網頁上的漏洞，並運用自動化工具攻擊網路服務器。</p> </blockquote> <blockquote> <p>2. 一個&lt;script&gt;字串附加到在後端運行的SQL伺服器中所有的文本或可變長字串列中。</p> </blockquote> <blockquote> <p>3. 這個腳本與駭客所控制伺服器連接。該伺服器含有一些常用軟體的利用代碼，如Microsoft MS06-014， 協力廠商軟體漏洞，（例如常用的媒體播放器及內容下載軟體）。有的時候還有一些零時差漏洞。</p> </blockquote> <blockquote> <p>4. 當終端使用者試圖用IE流覽正常的網站時，由於這些網頁都將從SQL伺服器獲取資料，這些資料同時包含了惡意腳本&lt;script&gt;。而 這些腳本會自動連接到駭客的網站。</p> </blockquote> <blockquote> <p>5. 如果普通使用者沒有依照建議安裝修正程式，防毒軟體，或尚未安裝Microsoft或協力廠商軟體最新版本的更新，那麼他們的電腦就會被感染。</p> <p><a href="http://blogs.msdn.com/blogfiles/jchiou/WindowsLiveWriter/SQLInjection_E14E/clip_image001_2.jpg"><img style="border-right: 0px; border-top: 0px; border-left: 0px; border-bottom: 0px" height="301" alt="clip_image001" src="http://blogs.msdn.com/blogfiles/jchiou/WindowsLiveWriter/SQLInjection_E14E/clip_image001_thumb.jpg" width="557" border="0" /></a></p> </blockquote> <p><a href="http://blogs.msdn.com/blogfiles/jchiou/WindowsLiveWriter/SQLInjection_E14E/clip_image001_2.jpg"></a></p> <p><b><u>SQL Injection(</u></b><b><u>資料隱碼)攻擊行為的解決方案</u></b></p> <blockquote> <p>一旦web伺服器遭到SQL注入攻擊，請遵循如下步驟：</p> </blockquote> <blockquote> <p>1、關閉網站</p> </blockquote> <blockquote> <p>2、檢查IIS日誌，查找引起這次攻擊的有漏洞的目標網頁</p> </blockquote> <blockquote> <p>3、聯繫web開發者，修改並加強ASP頁面。</p> </blockquote> <blockquote> <p>注意這只是一種變通的解決方法，只能臨時解決SQL Injection問題。該網站可能在伺服器再次聯網後被再次注入。為了徹底解決這個問題，請參閱&#8220;預防<u>SQL Injection(資料隱碼)攻擊</u>的解決方案&#8221;。</p> <p>&#160;</p> </blockquote> <p><b><u>預防SQL注入攻擊的解決方案</u></b></p> <blockquote> <p>這種SQL Injection攻擊是由網頁程式開發不符合安全編碼的要求所引起的。為了防止攻擊，我們需要驗證所有網頁的字串輸入的函數。比如說，帶有用戶名和密碼輸入框的網站登錄頁。</p> </blockquote> <blockquote> <p>我們也可以在微軟的官方網站上找到安全指導和最佳實踐建議，來應對<u>SQL Injection(資料隱碼)攻擊</u>。</p> </blockquote> <blockquote> <p>用來減緩與解決SQL Injection攻擊的最佳實踐建議可以在這裡找到：</p> </blockquote> <blockquote> <p><a href="http://msdn2.microsoft.com/en-us/magazine/cc163917.aspx">http://msdn2.microsoft.com/en-us/magazine/cc163917.aspx</a></p> </blockquote> <blockquote> <p>SQL 資料隱碼<strong> </strong></p> </blockquote> <blockquote> <p><a href="http://msdn.microsoft.com/zh-tw/library/ms161953.aspx">http://msdn.microsoft.com/zh-tw/library/ms161953.aspx</a></p> </blockquote> <blockquote> <p>『資料隱碼』SQL Injection的源由與防範之道 </p> </blockquote> <blockquote> <p><a href="http://www.microsoft.com/taiwan/sql/SQL_Injection.htm">http://www.microsoft.com/taiwan/sql/SQL_Injection.htm</a></p> </blockquote> <blockquote> <p>SQL Injection (資料隱碼)&#8211; 駭客的 SQL填空遊戲(上)</p> </blockquote> <blockquote> <p><a href="http://www.microsoft.com/taiwan/sql/SQL_Injection_G1.htm">http://www.microsoft.com/taiwan/sql/SQL_Injection_G1.htm</a></p> </blockquote> <blockquote> <p>SQL Injection (資料隱碼)&#8211; 駭客的 SQL填空遊戲(下) </p> </blockquote> <blockquote> <p><a href="http://www.microsoft.com/taiwan/sql/SQL_Injection_G2.htm">http://www.microsoft.com/taiwan/sql/SQL_Injection_G2.htm</a></p> </blockquote> <blockquote> <p>How To - Protect from Injection Attacks in ASP.NET</p> </blockquote> <blockquote> <p><a href="http://msdn.microsoft.com/en-us/library/bb355989.aspx">http://msdn.microsoft.com/en-us/library/bb355989.aspx</a></p> </blockquote> <blockquote> <p>How To - Protect from SQL Injection in ASP.NET </p> </blockquote> <blockquote> <p><a href="http://msdn.microsoft.com/en-us/library/ms998271.aspx">http://msdn.microsoft.com/en-us/library/ms998271.aspx</a></p> </blockquote> <blockquote> <p>How To - Protect from Cross-Site Scripting in ASP.NET</p> </blockquote> <blockquote> <p><a href="http://msdn.microsoft.com/en-us/library/ms998274.aspx">http://msdn.microsoft.com/en-us/library/ms998274.aspx</a></p> </blockquote> <blockquote> <p>Design Guidelines</p> </blockquote> <blockquote> <p><a href="http://msdn.microsoft.com/en-us/library/aa302420.aspx">http://msdn.microsoft.com/en-us/library/aa302420.aspx</a></p> </blockquote> <blockquote> <p>Arch/Design Inspection</p> </blockquote> <blockquote> <p><a href="http://msdn.microsoft.com/en-us/library/aa302421.aspx">http://msdn.microsoft.com/en-us/library/aa302421.aspx</a></p> </blockquote> <p>&#160;</p> <p>對於用戶端使用者，請確保電腦系統中已安裝了微軟及協力廠商軟體的最新安全修正程式以及最新的防毒程式定義檔。 </p> <p>注意，SQL Injection 不只會在 MS SQL Server 上會發生，在其它廠牌的資料庫產品也可能會有相同的情況發生。</p><img src="http://blogs.msdn.com/aggbug.aspx?PostID=8552068" width="1" height="1">SQL Server 2005VSTSSharePoint Server 2007Office 2007SilverlightExchange 2007patterns & practicesWSS 3.0IE7Windows 2008Visual Studio 2008SQL Server 2008IIS 7.0Windows 2003C#patterns &amp; practicesCRM 4.0Project Server 2007RMSTFS 2008VSTTBizTalk Server 2006VistaTFS 2005Team BuildGroove 2007http://blogs.msdn.com/jchiou/archive/2008/05/21/enterprise-library-4-0-may-2008.aspxWed, 21 May 2008 11:06:15 GMT91d46819-8472-40ad-a661-2c78acb4018c:8527007jchiou1http://blogs.msdn.com/jchiou/comments/8527007.aspxhttp://blogs.msdn.com/jchiou/commentrss.aspx?PostID=8527007<p>The patterns &amp; practices Enterprise Library is a collection of reusable application blocks designed to assist software developers with common enterprise development challenges. This following application blocks are included: Caching Application Block, Cryptography Application Block, Data Access Application Block, Exception Handling Application Block, Logging Application Block, Policy Injection Application Block, Security Application Block, Validation Application Block, and Unity Application Block. <br />This release includes: </p> <ul> <li>Support for Visual Studio 2008.</li> <li>Integration with the Unity dependency injection container.</li> <li>WMI2 support and improved instrumentation.</li> <li>Support for pluggable cache managers.</li> <li>Performance improvements</li> </ul> <p>&#160;</p> <p><a title="http://www.microsoft.com/downloads/details.aspx?FamilyID=90DE37E0-7B42-4044-99BE-F8ECFBBC5B65&amp;displaylang=en" href="http://www.microsoft.com/downloads/details.aspx?FamilyID=90DE37E0-7B42-4044-99BE-F8ECFBBC5B65&amp;displaylang=en">http://www.microsoft.com/downloads/details.aspx?FamilyID=90DE37E0-7B42-4044-99BE-F8ECFBBC5B65&amp;displaylang=en</a></p><img src="http://blogs.msdn.com/aggbug.aspx?PostID=8527007" width="1" height="1">patterns & practicesVisual Studio 2008patterns &amp; practiceshttp://blogs.msdn.com/jchiou/archive/2008/04/25/msdn.aspxFri, 25 Apr 2008 05:31:39 GMT91d46819-8472-40ad-a661-2c78acb4018c:8423255jchiou2http://blogs.msdn.com/jchiou/comments/8423255.aspxhttp://blogs.msdn.com/jchiou/commentrss.aspx?PostID=8423255<p>您是否覺得很難在 MSDN 快速找到需要的資訊? </p> <p>MSDN 團隊正致力於改善您在尋找所需資訊時的體驗。請花個兩分鐘來告訴我們您想要的內容格式和搜尋方式。 <a href="http://www.surveymonkey.com/s.aspx?sm=OWE6q6ruFnG2%2ftC54EdiqQ%3d%3d">詳細內容...</a></p> <p>雖然 MSDN 已經比以前好很多了，但我們都希望它可以更好，筆者自己也有做完問卷，大家有空時可以填一下，感恩。</p><img src="http://blogs.msdn.com/aggbug.aspx?PostID=8423255" width="1" height="1">SQL Server 2005VSTSSharePoint Server 2007Office 2007SilverlightExchange 2007patterns & practicesWSS 3.0IE7Windows 2008Visual Studio 2008SQL Server 2008IIS 7.0Windows 2003C#patterns &amp; practicesCRM 4.0Project Server 2007RMSTFS 2008VSTTBizTalk Server 2006Vistahttp://blogs.msdn.com/jchiou/archive/2008/04/09/web-application-block.aspxWed, 09 Apr 2008 05:39:50 GMT91d46819-8472-40ad-a661-2c78acb4018c:8370832jchiou1http://blogs.msdn.com/jchiou/comments/8370832.aspxhttp://blogs.msdn.com/jchiou/commentrss.aspx?PostID=8370832<p><a href="http://www.microsoft.com/info.aspx?na=22&amp;p=355&amp;SrcDisplayLang=en&amp;SrcCategoryId=&amp;SrcFamilyId=&amp;u=%2fdownloads%2fdetails.aspx%3fFamilyID%3df6aacdb8-fd50-4a8a-b3a1-d8cb7ad1f7d5%26DisplayLang%3den">Web Client Search Application Block for .NET Framework 2.0</a></p> <p>This application block provides guidance on how to improve UI search patterns.</p> <p>&#160;</p> <p><a href="http://www.microsoft.com/info.aspx?na=22&amp;p=358&amp;SrcDisplayLang=en&amp;SrcCategoryId=&amp;SrcFamilyId=&amp;u=%2fdownloads%2fdetails.aspx%3fFamilyID%3d361744c5-6949-4e56-9054-d2ad8761db07%26DisplayLang%3den">Web Client Composite Library for .NET Framework 2.0</a></p> <p>This library provides reusable application blocks for creating composite responsive Web clients.</p> <p>&#160;</p> <p><a href="http://www.microsoft.com/info.aspx?na=22&amp;p=359&amp;SrcDisplayLang=en&amp;SrcCategoryId=&amp;SrcFamilyId=&amp;u=%2fdownloads%2fdetails.aspx%3fFamilyID%3de7dc5a01-75ff-4dea-9f16-dd414041d817%26DisplayLang%3den">Web Client Validation Application Block for .NET Framework 2.0</a></p> <p>This application block provides guidance on how to improve responsiveness for UI validation.</p> <p>&#160;</p> <p><a href="http://www.microsoft.com/info.aspx?na=22&amp;p=360&amp;SrcDisplayLang=en&amp;SrcCategoryId=&amp;SrcFamilyId=&amp;u=%2fdownloads%2fdetails.aspx%3fFamilyID%3d8c10cc52-33c0-4c78-bde5-dd85c42b9f7f%26DisplayLang%3den">Web Client Search Application Block for .NET Framework 3.5</a></p> <p>This application block provides guidance on how to improve UI search patterns.</p> <p>&#160;</p> <p><a href="http://www.microsoft.com/info.aspx?na=22&amp;p=361&amp;SrcDisplayLang=en&amp;SrcCategoryId=&amp;SrcFamilyId=&amp;u=%2fdownloads%2fdetails.aspx%3fFamilyID%3d3813903f-3148-4b2c-94d5-db4219149e50%26DisplayLang%3den">Web Client Composite Library for .NET Framework 3.5</a></p> <p>This library provides reusable application blocks for creating composite responsive Web clients.</p> <p>Enjoy!!</p><img src="http://blogs.msdn.com/aggbug.aspx?PostID=8370832" width="1" height="1">VSTSVisual Studio 2008patterns &amp; practiceshttp://blogs.msdn.com/jchiou/archive/2008/01/03/vb6-vb-net-vb-2005.aspxThu, 03 Jan 2008 17:38:20 GMT91d46819-8472-40ad-a661-2c78acb4018c:6968285jchiou1http://blogs.msdn.com/jchiou/comments/6968285.aspxhttp://blogs.msdn.com/jchiou/commentrss.aspx?PostID=6968285<p>筆者知道目前仍有許多的朋友還在使用 VB6，其中的原因有很多，筆者也相信 VB6 在以前確實也解決了很多客戶商業上的需求。但在這麼一個快速變化且競爭的時代，大家是否該認真的考慮使用新的開發工具及技術，讓開發團隊可以更有效的溝通，加速寫程式的效率，提高軟體的品質等。</p> <p>&#160;</p> <p>筆者整理一些相關的資訊有電子書、升級指南、工具及參考範例等，提供參考：</p> <p>&#160;</p> <ul> <li><a href="http://msdn2.microsoft.com/en-us/vbrun/ms788236.aspx">Free Book - Upgrading Microsoft Visual Basic 6.0 to Microsoft Visual Basic .NET</a></li> <li><a href="http://msdn2.microsoft.com/en-us/vbrun/ms788233.aspx">Migration - Upgrading from Visual Basic 6.0</a></li> <li><a href="http://www.microsoft.com/downloads/details.aspx?FamilyId=7C3FE0A9-CBED-485F-BFD5-847FB68F785D&amp;displaylang=en">Upgrading Visual Basic 6.0 to Visual Basic .NET and Visual Basic 2005 guide</a></li> <li><a href="http://www.microsoft.com/downloads/details.aspx?FamilyId=10C491A2-FC67-4509-BC10-60C5C039A272&amp;displaylang=en">Assessment Tool</a></li> <li><a href="http://www.microsoft.com/downloads/details.aspx?FamilyId=2B3E5D83-D6EE-41C6-BA06-06B3749C4283&amp;displaylang=en">FMStocks Sample Application Before Upgrade</a></li> <li><a href="http://www.microsoft.com/downloads/details.aspx?FamilyId=6958DB94-A314-488D-B080-901E79EB00DD&amp;displaylang=en">FMStocks Sample Application Post Upgrade</a></li> <li><a href="http://msdn2.microsoft.com/en-us/vbasic/bb466226.aspx#interop">Visual Basic Interop Video Series</a></li> <li><a href="http://msdn2.microsoft.com/en-us/vbasic/aa701259.aspx">Interop Forms Toolkit 2.0</a></li> </ul><img src="http://blogs.msdn.com/aggbug.aspx?PostID=6968285" width="1" height="1">VSTSVisual Studio 2008patterns &amp; practiceshttp://blogs.msdn.com/jchiou/archive/2007/12/13/guidance-explorer-asp-net.aspxThu, 13 Dec 2007 17:18:00 GMT91d46819-8472-40ad-a661-2c78acb4018c:6761395jchiou1http://blogs.msdn.com/jchiou/comments/6761395.aspxhttp://blogs.msdn.com/jchiou/commentrss.aspx?PostID=6761395<P>記得有與一些 Partners 分享過 Guidance Explorer 也一直想有時間的時候再寫部落格與大家分享，之後都在忙。</P> <P>今天剛好看到<A id=ctl00___ctl00___ctl01___Entry___AuthorLink href="http://blogs.msdn.com/user/Profile.aspx?UserID=7711" mce_href="http://blogs.msdn.com/user/Profile.aspx?UserID=7711">J.D. Meier</A>&nbsp;寫了一篇文章說明這部份，有興趣的朋友可以參考下列網址：</P> <P>How To Use Guidance Explorer to do a Security Code Inspection</P> <P><A href="http://blogs.msdn.com/jmeier/archive/2007/12/13/how-to-use-guidance-explorer-to-do-a-security-code-inspection.aspx?CommentPosted=true#commentmessage" mce_href="http://blogs.msdn.com/jmeier/archive/2007/12/13/how-to-use-guidance-explorer-to-do-a-security-code-inspection.aspx?CommentPosted=true#commentmessage">http://blogs.msdn.com/jmeier/archive/2007/12/13/how-to-use-guidance-explorer-to-do-a-security-code-inspection.aspx?CommentPosted=true#commentmessage</A></P> <P>補充一下：</P> <P>Guidance Explorer 在12 月也有出新的版本，多了許多新的功能，詳細資訊：</P> <P><A href="http://blogs.msdn.com/jmeier/archive/2007/12/12/new-release-guidance-explorer-is-now-on-msdn.aspx">http://blogs.msdn.com/jmeier/archive/2007/12/12/new-release-guidance-explorer-is-now-on-msdn.aspx</A></P><img src="http://blogs.msdn.com/aggbug.aspx?PostID=6761395" width="1" height="1">VSTSpatterns &amp; practices