Angularjs：如何限制包含sql查询关键字的用户输入（用于sql注入） [英] Angularjs : How to restrict user inputs which contain sql query keywords (for sql injection)

问题描述

我在AngularJs项目中有登录和其他形式的要求，限制用户输入包含输入字段中的SELECT，INSERT，UPDATE，DELETE，DROP等特定关键字。这将帮助我们防止SQL注入攻击。

I have a requirement in AngularJs project on login and other form, to restrict user inputs which contain specific keywords like "SELECT","INSERT", "UPDATE", DELETE","DROP" etc in input fields. This will help us prevent SQL injection attacks.

如果我们有任何angularjs库来完成此任务，请告诉我。或者如何使用angularjs有效地实现这一目标？

Please let me know if we have any angularjs library to accomplish this. Or how can this be achieved efficiently using angularjs?

谢谢。

推荐答案

1. 黑名单安全性不是答案。如果你检查单词select，攻击者会注入sElEct或sel / ** / ect（在MySQL中）。如果你用空格分割单词，攻击者将使用注释（/ ** /）或制表符作为分隔符。你永远不能用黑名单方法获胜（尤其是你建议的整个单词），总是使用白名单方法，只允许允许的字符（az，AZ，0-例如9。）

1. Black list is NOT the answer in security. If you check for the word "select", the attacker will inject "sElEct" or "sel/**/ect" (in MySQL). If you split the words with spaces, the attacker will use comments ("/**/") or tabs as delimiters. You can never win with the black list approach (especially with whole words as you suggested), always use white list approach and allow only permitted characters (a-z,A-Z,0-9 for example).

任何客户端验证都必然会失败。攻击者很容易使用任何简单的代理（例如fiddler或burp）攻击任何基于Javascript的防御。您应该在服务器端代码中实现白名单输入验证以及参数化查询或其他一些最佳实践，以防止DAL级别的SQL注入（两者都在一起推荐）。

Any client-side validation is bound to fail. An attacker can easily attack any Javascript-based "Defenses" with any simple proxy such as fiddler or burp. You should implement your white list input validation in your server side code alongside parametrized queries or some other best-practice to prevent SQL Injection in the DAL level (both are recommended together).

这篇关于Angularjs：如何限制包含sql查询关键字的用户输入（用于sql注入）的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！