使用资源（.resx）文件可能进行SQL注入攻击 [英] Sql injection attacks possible using resource(.resx) file

问题描述

嗨朋友们，



在我的项目中，我在资源（.resx）文件中维护了所有SQL查询。



我怀疑是：

- 可能使用资源（.resx）文件进行SQL注入攻击。

- 如果sql注入是可能的那么如何以及在何处维护所有SQL查询。



请让我知道上述问题的最佳解决方案。



谢谢，

Shanmuga Raja



我的尝试：



无法找到我怀疑的正确建议

Hi Friends,

In my project, I have maintained all SQL query in resource (.resx) file.

my doubt is:
- Sql injection attacks possible using resource(.resx) file.
- If sql injection is possible then how and where to maintain all sql queries.

Please let me know best solution for the above mentioned problem.

Thanks,
Shanmuga Raja

What I have tried:

unable to find the right suggestion for my doubts

推荐答案

它与存储查询的位置无关。这是查询填充数据以修改查询的方式。假设您有一个接受WHERE子句值的查询。如果您没有准备好执行正确的查询，那么您将公开代码。

It has nothing to do with where the queries are stored. It's how the queries are filled with data to modify the query. Say you have a query that accepts a value for a WHERE clause. If you're not preparing the query for execution properly, you're exposing code to exploitation.

Quote：

使用资源（.resx）文件可以进行SQL注入攻击。

Sql injection attacks possible using resource(.resx) file.

当您的查询暴露给代码注入时，SQL注入成为可能。无论您如何存储查询，而不是它们如何执行。如果从文件甚至从网络存储和加载SQL查询，或者将它们存储在资源文件或内存中，如果查询暴露给注入，它将被注入代码，这没有任何好处。



想想代码，如果你要连接字符串，比如，

SQL Injection is made possible when your queries are exposed to the code injection. It doesn't matter how you store the queries, rather how they execute. It is of no benefit if you store and load the SQL queries from a file, or even from a network, or store them in resource files, or in-memory, if the query is exposed to injection, it will be injected with code.

Think of the code, if you are concatenating the strings, like,

var query = "SELECT * FROM table_name WHERE primary_column = '" + variable + "';

此查询是来自资源，网络还是在程序内部进行硬编码无关紧要。需要更改此查询，以防止注入。

It will not matter whether this query comes from a resource, network, or is hardcoded inside the program. You need to change this query, to prevent the injection.

引用：

如果sql注入是可能的，然后维护所有SQL查询的方式和位置。

If sql injection is possible then how and where to maintain all sql queries.

您需要以安全的方式编写查询，例如鼓励使用参数。您还应该考虑，用户是否能够修改任何这些查询。您的程序应该处理它执行的查询。



虽然每个引擎都有自己的安全漏洞，y你可以很容易地在Google上搜索基于实例的文档和推荐，但我建议你从这里开始， SQL注入| Microsoft Docs [ ^ ]。

You need to write the queries in a secure manner, such as use of parameters is encouraged. You should also consider, whether the user is able to modify any of these queries or not. Your program should take care of the queries that it executes.

Although every engine has its own security loopholes, you can search for an instance based documentation and recommendation on Google quite easily, but I would recommend you start from here, SQL Injection | Microsoft Docs[^].

这篇关于使用资源（.resx）文件可能进行SQL注入攻击的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！