这个代码比我早期的代码更好,安全性明智 [英] Is this code better than my earlier code, security wise
问题描述
由于编码不好,我的一台服务器被SQL注入攻击。
所以,我有人写了一个存储过程和新代码。
但是,对我来说,即使使用存储过程,它看起来也有缺陷。
email = request(" email")
password = request (pw)
旧代码:
sql =" select * from tablename where email =''" &安培;电子邮件& "''和密码=''"
&密码& "''"
set rs = conn.execute(sql)
新代码
sql =" sp_CheckLogin '' " &安培;电子邮件& "," &安培;密码& "''"
set rs = conn.execute(sql)
存储过程:
CREATE PROCEDURE sp_CheckLogin
@Email VARCHAR(100),@ Password VARCHAR(100)
AS
SELECT * FROM tablename WHERE email = @ Email AND Password = @密码
GO
感谢您的帮助!!
***通过Developersdex发送 http://www.developersdex.com ***
One of my servers got hacked with the SQL injection due to poor coding.
So, I had someone write a stored procedure and new code.
But, to me, it looks just as flawed, even using the stored procedure.
email=request("email")
password=request("pw")
OLD CODE:
sql="select * from tablename where email=''" & email & "'' and password=''"
& password & "''"
set rs=conn.execute(sql)
NEW CODE
sql="sp_CheckLogin ''" & email & "'',''" & password & "''"
set rs=conn.execute(sql)
Stored Procedure:
CREATE PROCEDURE sp_CheckLogin
@Email VARCHAR(100), @Password VARCHAR(100)
AS
SELECT * FROM tablename WHERE email=@Email AND Password=@Password
GO
Thanks for your help!!
*** Sent via Developersdex http://www.developersdex.com ***
推荐答案
Joey Martin写道:
Joey Martin wrote:
我的一个服务器由于编码不佳而导致SQL注入被黑客入侵。所以,我有人写了一个存储过程和新代码。
但是,对我来说,即使使用存储过程,它看起来也有缺陷。
email = request(" email")
password = request(" pw")
旧代码:
sql =" select * from tablename where email =''" &安培;电子邮件& "''和
密码=''" &安培;密码& "''"
set rs = conn.execute(sql)
新代码
sql =" sp_CheckLogin '' " &安培;电子邮件& "," &安培;密码& "''"
set rs = conn.execute(sql)
One of my servers got hacked with the SQL injection due to poor
coding. So, I had someone write a stored procedure and new code.
But, to me, it looks just as flawed, even using the stored procedure.
email=request("email")
password=request("pw")
OLD CODE:
sql="select * from tablename where email=''" & email & "'' and
password=''" & password & "''"
set rs=conn.execute(sql)
NEW CODE
sql="sp_CheckLogin ''" & email & "'',''" & password & "''"
set rs=conn.execute(sql)
是的,它有同样的缺陷。你需要使用参数。像这样:
set rs = createobject(" adodb.recordset")
conn.sp_CheckLogin email,password,rs
另外:
与您的问题无关,但您应该避免为存储过程使用sp_
前缀。 "以sp_"向查询引擎指示
该程序是系统存储过程,这意味着它将通过首先在Master中查找程序来浪费时间
数据库,只在当前数据库中找不到
Master。当然,浪费的时间非常小,但是当你给你的程序命名与当前系统
程序相同时,真正的问题就会出现。当你试图调用你的程序时,你会发现系统程序会莫名其妙地被执行。记住避免使用与系统过程名称冲突的名称,而不是尝试
而不是使用sp_可以让你的生活更简单。除非你正在创建系统程序,否则为你的程序名称加上前缀
。
-
Microsoft MVP - - ASP / ASP.NET
请回复新闻组。我的From
标题中列出的电子邮件帐户是我的垃圾邮件陷阱,因此我不经常检查它。通过发布到新闻组,您将获得更快的回复。
Yes, it is just as flawed.You need to use parameters. Like this:
set rs=createobject("adodb.recordset")
conn.sp_CheckLogin email,password, rs
In addition:
Nothing to do with your problem, but you should avoid using the "sp_"
prefix for your stored procedures. "sp_" indicates to the query engine
that the procedure is a system stored procedure, which means that it
will waste time by first looking for the procedure in the Master
database, only looking in the current database when it is not found in
Master. Granted, the time wasted in very small, but the real problem
comes in when you give your procedure the same name as a current system
procedure. You will find that the system procedure will inexplicably be
executed when you attempt to call your procedure. Instead of trying to
remember to avoid names that conflict with system procedure names, you
can make your life a lot simpler by simply never using "sp_" to prefix
your procedure names unless you are creating a system procedure.
--
Microsoft MVP -- ASP/ASP.NET
Please reply to the newsgroup. The email account listed in my From
header is my spam trap, so I don''t check it very often. You will get a
quicker response by posting to the newsgroup.
感谢您的信息。
在我的旧代码,我能够成功运行示例sql注入
hacks。在新的SP代码中,那些相同的样本黑客无法正常工作。在那个
的情况下,它仍然存在缺陷吗?
再次感谢。
***通过Developersdex发送 http://www.developersdex.com ***
Thanks for the information.
In my old code, I was able to successfully run sample sql injection
hacks. In the new SP code, those same sample hacks did not work. In that
case, is it still flawed?
Thanks again.
*** Sent via Developersdex http://www.developersdex.com ***
Joey Martin写道:
Joey Martin wrote:
感谢您提供的信息。
在我的旧代码中,我能够成功运行示例sql注入
hacks。在新的SP代码中,那些相同的样本黑客无法正常工作。在
的情况下,它仍然存在缺陷吗?
Thanks for the information.
In my old code, I was able to successfully run sample sql injection
hacks. In the new SP code, those same sample hacks did not work. In
that case, is it still flawed?
如果您正在使用&创建动态的sql语句,然后是的,它是
有缺陷而且你根本就没有使用暴露该漏洞的hack。
使用参数!
并在使用之前验证所有输入。
-
Microsoft MVP - ASP / ASP.NET
请回复新闻组。我的From
标题中列出的电子邮件帐户是我的垃圾邮件陷阱,因此我不经常检查它。通过发布到新闻组,您将获得更快的回复。
If you are using & to create dynamic sql statements, then yes, it is
flawed and you are simply not using the hack that exposes the flaw.
Use parameters!
And validate all inputs before using them.
--
Microsoft MVP -- ASP/ASP.NET
Please reply to the newsgroup. The email account listed in my From
header is my spam trap, so I don''t check it very often. You will get a
quicker response by posting to the newsgroup.
这篇关于这个代码比我早期的代码更好,安全性明智的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
