停止引用可以停止sql注入 [英] Stop Quotes can stop sql injection or not

问题描述

任何人都可以告诉我是否在我的申请或网站上停止引用。然后我的应用程序可以sql注入或不



因为我看到你必须写引号然后半冒号开始你自己的行像



';从表中删除; -





Plz给出一些相关的例子以支持你的回答



感谢提前

Hi,

Can any one tell me if I stop quotes i.e ' in my application or website. then also my application can be sql injected or not

As I see you have to write quote and then semi colon to start your own line like

'; DELETE FROM Table;--


Plz give some relevant example in favor of your answer

Thanks In Advance

推荐答案

不，它们仍然不会阻止Sql Injection，您应该使用SqlParameters将值传递给SQL Server。请参阅 MSDN文档 [ ^ 更多相关信息。



SQL注入中最糟糕的情况是由你提供的...要删除表，然后注释掉其余部分声明。即使您允许引号，它也会利用您的数据库，您（但是）将以字符串格式传递SQL命令，您认为如何阻止用户自己添加引号？



如果我必须设计一个模式，我也不会依赖SQL参数。在创建或构建SQL命令之前，我首先尝试验证用户的输入。如果输入正常，那么我将再次创建SQL命令...使用SQL参数传递值。

No, they still don't prevent Sql Injection, you should use SqlParameters to pass your values to the SQL Server. See MSDN documentation[^] for more on this.

The worst scenario in SQL Injection has been provided by you... To delete the table and then comment out the rest of the statement. Even if you allow quotes or not, it will exploit your database, you (however) are going to pass SQL command in a string format, and what do you think prevents user from adding a quote himself?

If I have to design a pattern, I would also not rely on SQL parameters. I would first try to validate the user's input, before even creating or constructing the SQL command. If the input is ok, then I would create the SQL command, also again... Passing the values using SQL parameters.

了解

1的方法。 SQL注入 [ ^ ]工作。

2. 从SQL注入中证明你的ASP.NET应用程序 [ ^ ]

Find out how
1. SQL Injection[^] work.
2. Hack Proof Your ASP.NET Applications From SQL Injection[^]

Just谷歌没有引号的SQL注入，举例说明为什么不会保护您免受SQLi攻击。例如：

不允许单引号，这个SQL注入点是否仍可利用？ [ ^ ]

SQL走私或不存在的攻击 [ ^ ]



第二个链接中的Unicode走私部分特别有意义 - 您的代码看到的与单引号不同的某些Unicode字符可能会自动出现由DBMS翻译成单引号，r让你的过滤器无用。



而不是浪费你的时间试图争论一个天真的过滤器足够好，只需使用正确的参数化查询。 ADO.NET非常容易实现！

Just Google "SQL Injection without quotes" for examples of why this won't protect you from SQLi. For example:
No single quotes is allowed, Is this SQL Injection point still exploitable?[^]
SQL Smuggling, or The Attack That Wasn't There[^]

The "Unicode Smuggling" section from the second link is of particular interest - certain Unicode characters which your code sees as distinct from the single-quote may automatically be translated by the DBMS to a single quote, rendering your filter useless.

Rather than wasting your time trying to argue that a naive filter will be good enough, just use properly parameterized queries. ADO.NET makes it extremely easy to do!

这篇关于停止引用可以停止sql注入的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！