我真的需要在selectcommands上进行sql注入保护吗? [英] Do I really need sql injection protection on selectcommands?
本文介绍了我真的需要在selectcommands上进行sql注入保护吗?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
快速回答sql问题:
我知道它们是什么它们是如何出现的,但是使用ADO.NET,我认为.NET框架应该可以阻止对selectcommands的sql注入(因为它们只是表达式;用于选择而不是用于更改db内容)。
所以,在下面的代码中,因为我只想选择一些东西,我真的需要参数化的sql,还是有一个内置的标志,说不允许更改数据库?
谢谢!
Petter
Hi,
A quick question re sql injections:
I know what they are and how they appear, but using ADO.NET, I think it should be possible for the .NET framework to prevent sql injections on selectcommands (as they are expressively just that; used for selecting and not for changing the db contents).
So, in the code below, since I only want to select things, do I really need parameterized sql or is there a built-in flag saying that changing the db is not allowed?
Thanks!
Petter
SqlCommand cmd = new SqlCommand(); //Create SQL command
cmd.Connection = conn;
cmd.CommandText = str;
SqlDataAdapter da = new SqlDataAdapter(); //Create SQL adapter
da.SelectCommand = cmd;
da.Fill(dt);
推荐答案
.NET框架本身不能防止SQL注入。从本质上讲,SQL注入来自滥用ADO.NET和SQL。只有正确和谨慎地使用它才能保护自己免受SQL注入。
这里解释了SQL注入的本质:http://xkcd.com/327 [ ^ ]。
这里解释了基础知识,包括预防它的基本思路:
http://en.wikipedia.org/wiki/SQL_injection [ ^ ],
使用参数化语句: http://msdn.microsoft.com/en-us/library/ff648339.aspx [ ^ ]。
另请参阅我过去的答案:
EROR IN com.ExecuteNonQuery(); [ ^ ],
你的名字没有显示名称? [ ^ ]。
-SA
.NET framework itself does not protect against SQL injection. Essentially, SQL injection comes from misuse of ADO.NET and SQL. You can protect yourself from SQL injection only if you use it both correctly and carefully.
The nature of SQL injection is explained here: http://xkcd.com/327[^].
And here the basics are explained, including the basic idea of prevention of it:
http://en.wikipedia.org/wiki/SQL_injection[^],
using parametrized statements: http://msdn.microsoft.com/en-us/library/ff648339.aspx[^].
Please see also my past answers:
EROR IN UPATE in com.ExecuteNonQuery();[^],
hi name is not displaying in name?[^].
—SA
您的问题的简答:是的,即使使用SELECT命令也需要保护。
更长一点的解释。首先,对于错误检查,权限等,ADO.NET实际上不承担任何责任。这些是数据库服务器处理的任务。因此,即使注入了SQL语句,ADO.NET也会很乐意将SQL语句发送到数据库服务器。
该命令在具有权限的数据库中执行用户具有实际连接到数据库的人。在n层应用程序中,这通常是单个用户,这意味着所有操作都使用相同的凭据。这通常也意味着该用户的特权非常可观。因此,当最初对SELECT语句执行注入时,用户可能还有能力损坏数据和数据库。
所以换句话说,如果数据库用户有足够的权限,注入哪个语句无关紧要。
The short answer to your question is: Yes, you do need protection even with SELECT commands.
A bit more longer explanation. First of all ADO.NET takes actually no responsibility what comes to error checking, privileges etc. These are tasks that the database server handles. So ADO.NET will happily send the SQL statement to the database server as-is, even if it is injected.
The command is executed in the database with the privileges that the user has who actually is connected to the database. In n-tier applications this often is a single user meaning that the same credentials are used for all operations. This also often means that the privileges of this user are quite substantial. Because of this the user is likely to have capability to harm the data and the database also when the injection was originally done to a SELECT statement.
So in other words if the database user has sufficient privileges, it really doesn't matter which statement is injected.
全部谢谢!
不是能够将其标记为回复,我必须说我发现理查德的回答/评论对我的具体问题的回复非常好。
结合你的综合答案,我现在也看到了为什么即使有一个函数作为我假设工作的函数(强制SelectCommand无法发送更新等),参数化的sql仍然是要走的路 - 如果它不存在,一个邪恶的用户可以编写SELECT *来自会员等,并获取所有用户数据。
再次感谢您的宝贵积分和见解。
Petter
Thanks all!
Not being able to mark it as a reply, I must say I found Richard's answer/comment a very good reply to my specific question.
With your combined answers I now also see why even if there were a function as the one I assumed worked (forcing SelectCommand to not being able to send updates etc), parameterized sql is still the way to go - if it weren't there, an evil-minded user could write SELECT * From members etc and get all the user data.
Thanks all again for your valuable points and insights.
Petter
这篇关于我真的需要在selectcommands上进行sql注入保护吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
