.NET库净化输入？ [英] .NET libraries to sanitize input?

问题描述

有没有彻底的测试.NET库都来消毒的像脚本/ sql注入输入？

Are there any thoroughly tested .NET libraries out there to sanitize input from things like script/sql injection?

推荐答案

SQL注入和跨站脚本（XSS又名或脚本注入）是不同的问题。

SQL injection and Cross-Site Scripting (a.k.a. XSS or Script Injection) are different problems.

1）SQL注入是很容易的，始终使用参数化查询（的SqlParameter），并尝试真的很难永远不会做在T-SQL存储过程sp_exec @query。净参数化查询不会防止这种二次注射。

1) SQL Injection is very easy, always use parametrized queries (SQLParameter) and try really hard to NEVER do sp_exec @query within T-SQL stored procedures. .Net parametrized queries will not protect against this second order injection.

2）的XSS更难以普遍减轻由于存在的JavaScript可以插入到HTML文档这么多的地方。这些建议使用AntiXSS编码的用户​​数据是正确的。插入用户数据到输出文件之前，请使用这个库。不幸的是，如果你使用的是编码的所有数据ASP.Net服务器控件可能会导致双编码和文物陈列。这是因为一些控制特性EN code的数据，而有的则没有。请参照<一个href="http://blogs.msdn.com/sfaust/archive/2008/09/02/which-asp-net-controls-automatically-en$c$cs.aspx">this表以找出性能EN codeD默认情况下。使用防XSS分配到不带连接code任何属性之前。

2) XSS is more difficult to universally mitigate since there are so many places that JavaScript can be inserted into HTML documents. The recommendations to use AntiXSS for encoding user data is right on. Use this library before inserting user data into output documents. Unfortunately, if you are using ASP.Net server controls encoding all data may lead to double-encoding and display artifacts. This happens because some control properties encode data while others don't. Refer to this table to find out the properties encoded by default. Use Anti-XSS before assigning to any properties that don't encode.

这篇关于.NET库净化输入？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！