我怎么能删除这个缺陷.. [英] how can i remove the flaw..

问题描述

伙计们，请你们帮我解决这个漏洞，在安全测试期间我遇到了这个漏洞。

sqlCmd.Parameters.Add（prm）; br模式=hold/>从以下代码中将图像保存到sqlserver中。

Hi guys can you please help me to remove the flaw, during security testing i am getting the flaw at
sqlCmd.Parameters.Add(prm);br mode="hold" />from the following code to save the image into sqlserver.

string repname = "";
string rowsid = GlobalClass.rowsID;
if (chk_toref.Checked) { repname = txtCollectorName.Text.Trim(); } else { repname = lblName.Text; }
SaveImgName = "In" + "+" + repname + "+" + GlobalClass.rowsID + ".jpg";
string imgpath = (@"C:");
pictureBox1.Image = Image.FromFile( imgpath+ @"\Signature\" + SaveImgName);
DataConnection data = new DataConnection();
SqlConnection con;
con = data.GetConnection();
con.Open();
SqlCommand sqlCmd = new SqlCommand("update tblinbound set Signature=@img where id=@rowsid",con);
sqlCmd.Parameters.AddWithValue("@rowsid", rowsid);
 String sBLOBFilePath=imgpath+@"\Signature\"+SaveImgName; 
FileStream fsBLOBFile = new FileStream(sBLOBFilePath, FileMode.Open, FileAccess.Read);
Byte[] bytBLOBData = new Byte[fsBLOBFile.Length];
fsBLOBFile.Read(bytBLOBData, 0, bytBLOBData.Length);
fsBLOBFile.Close();
SqlParameter prm = new SqlParameter("@img", System.Data.SqlDbType.VarBinary, bytBLOBData.Length, System.Data.ParameterDirection.Input, false,
0, 0, null, System.Data.DataRowVersion.Current, bytBLOBData);
sqlCmd.Parameters.Add(prm);
sqlCmd.ExecuteNonQuery();
con.Close();

谢谢...

thanks...

推荐答案

嗨Rajendra，< br $> b $ b

你忘了告诉我们是什么工具给你这个缺陷。或者这是从人工代码审核中产生的东西吗？

我通过谷歌搜索发现了一个确切的短语，它出现在这个有趣的网站上：常见弱点枚举：CWE-73：文件名或路径的外部控制 [ ^ ]。

看看你能对这个网站上列出的每个漏洞做些什么标题为潜在缓解的部分。

请告诉我们使用了什么工具进行代码分析（或者如果是通过代码审查完成的话）。





问候，

- Manfred

Hi Rajendra,

you forgot to tell us what tool it was that gave you this "flaw". Or was this something produced from a human code audit?
I found the exact phrase thrown at you by googling it and it turned up this interesting website: Common Weakness Enumeration: CWE-73: External Control of File Name or Path[^].
To see what you can do about each of the "flaws" listed on this site look out for the sections headed "Potential mitigations".
Please do tell what tool was used to do the code analysis (or alternatively if it was done via code review).


Regards,

— Manfred

这篇关于我怎么能删除这个缺陷..的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！