与用户直接输入的动态LINQ，任何危险？ [英] Dynamic LINQ with direct user input, any dangers?

问题描述

我有一个ASP.NET MVC应用程序中的表，我想排序（服务器端）和过滤使用AJAX。我想这是很容易在其他地方使用，不喜欢硬编码排序和过滤进入查询表达式，所以我找了一个方法来构建动态表情和要做到这一点，我发现与动态LINQ的最佳途径。从URL像下面

用户输入直接插入动态哪里或排序依据。

  /订单sortby =订单ID和放大器;为了=递减和放大器;客户名称=微软
  

这会导致两个表达式：

 排序依据（订单ID降序）
其中（@CustomerName.Contains（ 微软））
  

虽然我明白，也不会在数据库中直接抛出并在这里直接插入SQL不会工作，因为它不能反映到一个属性，它的类型安全和所有，我不知道是否有人比我更有创意能找到一种方法来利用它不管。其中一个漏洞，我能想到的是，它是可能的排序不在表中可见性能/过滤器，但是这不是有害的，因为他们仍然将不被显示，它可以通过散列预防。

我允许用户直接输入是排序依据和地点的唯一途径。

只是确保，谢谢： ）

解决方案

由于LINQ到SQL使用类型安全的数据模型类，你免受SQL默认注入攻击。 LINQ到SQL将基于所述基础数据类型自动进行编码的值。

（C）ScottGu

但你仍然可以得到被零除在那里，所以建议来处理所有的意外的异常，也限制了有效条目的长度，JIC

I have a table in a ASP.NET MVC application that I want to be sortable (serverside) and filterable using AJAX. I wanted it to be fairly easy to use in other places and didn't feel like hardcoding the sorting and filtering into query expressions so I looked for a way to build the expressions dynamically and the best way to do this I found was with Dynamic LINQ.

User input from a URL like below is directly inserted into a dynamic Where or OrderBy.

/Orders?sortby=OrderID&order=desc&CustomerName=Microsoft

This would result in two expressions:

OrderBy("OrderID descending")
Where(@"CustomerName.Contains(""Microsoft"")")

While I understand that it won't be thrown at the database directly and inserting straight SQL in here won't work because it can't be reflected to a property and it's type-safe and all, I wonder if someone more creative than me could find a way to exploit it regardless. One exploit that I can think of is that it's possible to sort/filter on properties that are not visible in the table, but this isn't that harmful since they still wouldn't be shown and it can be prevented by hashing.

The only way I allow direct user input is with OrderBy and Where.

Just making sure, thanks :)

解决方案

Because LINQ to SQL uses type-safe data model classes, you are protected from SQL Injection attacks by default. LINQ to SQL will automatically encode the values based on the underlying data type.
(c) ScottGu

But you can still get "divide by zero" there, so it is recommended to handle all unexpected exceptions and also limit length of the valid entries, JIC

这篇关于与用户直接输入的动态LINQ，任何危险？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！