SQL注入漏洞 [英] SQL Injection vulnerabilities

问题描述

我们有一个网站ASP.NET/C#。我们的开发人员在离岸边亚洲，我刚发现他们已经把原始的SQL在网站前端。

We have a ASP.NET/C# website. Our developers are off shore in Asia and I just discovered they have been placing raw SQL on the site front end.

我很担心我们现在容易受到SQL注入攻击。有谁知道我怎么可以检测网站上的安全漏洞，什么是关闭对他们的门最好？

I am worried we are now vulnerable to SQL injection attacks. Does anyone know how I can detect vulnerabilities on the site and what is the best way to close the door on them?

推荐答案

试图从正面检测漏洞的可能的帮助，但真的是你应该看的code，特别是所有code，涉及到的DbCommand，的SqlCommand等的关键点，因为你清楚的知道，是从来没有将用户输入到一个查询，但对其进行参数化。有可用的好工具，可以让这个参数设置很容易做到 - 至少，比人工手动操作更容易。例如，如果您有：

Trying to detect the vulnerabilities from the front may help, but really you should be looking at the code, in particular all code that relates to DbCommand, SqlCommand, etc. The key point, as you clearly know, is never to concatenate user input into a query, but to parameterise it. There are good tools available that can make this parameterisation easy to do - or at least, easier than doing it manually. For example, if you have:

using(var cmd = conn.CreateCommand()) {
    cmd.CommandText = "delete from Orders where id = " + id;
    cmd.ExecuteNonQuery();
}

然后像短小精悍点网的一个工具可以让你做这样的事情：

then a tool like dapper-dot-net will allow you to do things like:

conn.Execute("delete from Orders where id = @id", new {id});

这就是少 code，很大程度上是复制粘贴，而是完全注射安全，并允许查询计划重新使用。

which is less code, largely a copy-paste, but is fully injection-safe and allows query-plan re-use.

这篇关于SQL注入漏洞的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！