如何在C＃中验证http URL以避免在2013年的c＃.net中进行SQL注入攻击 [英] How to validate http URL in C# to avoid SQL injection attacks in c#.net in vs 2013

问题描述

我有一个字符串变量sstateUrl =http://abcd.com/url



所以我想验证这个sstateUrl以避免sqlinjection。



如何做，请给我一点想法。



我尝试了什么：



如何在c＃中验证http URL以避免c＃中的sql注入攻击.net in vs 2013

解决方案

编写插入查询时需要查看参数化。



< a href =https://msdn.microsoft.com/library/bb738521(v=vs.100).aspx>如何：执行参数化查询 [ ^ ]



参数化查询ADO.Net [ ^ ]



如何：防止ASP.NET中的SQL注入 [ ^ ] - 这个说明了特定的asp.net，但概念全面适用。

简单，你没有。不要担心URL。正如David_Wimbley所提到的那样担心查询。



只要文本框中的用户输入也可能有害，只看URL就不会做任何事情。

Quote：

我有一个字符串变量sstateUrl =http://abcd.com/ url

所以我想验证这个sstateUrl以避免sqlinjection。

它不起作用。您不会通过检查将在查询中连接的文本来保护SQL查询免受注入。

SQL注入是指通过将部分与用户输入连接来构建SQL查询，因为最终结果是SQL查询和用户输入被提升为SQL代码，合法输入可能会导致SQL查询崩溃，恶意输入可能会导致数据库崩溃或导致数据丢失。



永远不会构建一个通过连接字符串进行SQL查询。迟早，您将使用用户输入来执行此操作，这会打开一个名为SQL注入的漏洞，这对您的数据库很容易并且容易出错。

名称中的单引号你的程序崩溃。如果用户输入像Brian O'Conner这样的名称可能会使您的应用程序崩溃，那么这是一个SQL注入漏洞，崩溃是最少的问题，恶意用户输入，并且它被提升为具有所有凭据的SQL命令。

SQL注入 - 维基百科 [ ^ ]

SQL注入 [ ^ ]

Hi,

I have one string variable sstateUrl= "http://abcd.com/url"

so I want to validate the this sstateUrl to avoid sqlinjection.

How to do , Please give me idea.

What I have tried:

How to validate http URL in c# to avoid sql injection attacks in c#.net in vs 2013

解决方案

You need to look into parameterization when writing insert queries.

How to: Execute a Parameterized Query[^]

Parameterized Queries ADO.Net[^]

How To: Protect From SQL Injection in ASP.NET[^] -- this one says asp.net specific but concepts apply across the board.

Simple, you don't. Don't worry about the URL. Worry about the query instead, as mentioned by David_Wimbley.

Just looking at the URL doesn't do anything for cases where user input in your text boxes can also be harmful.

Quote:

I have one string variable sstateUrl= "http://abcd.com/url"
so I want to validate the this sstateUrl to avoid sqlinjection.

It don't work that way. You don't protect SQL queries from injection by checking the text that will be concatenated in the query.
SQL injection is when you build an SQL query by concatenating parts with user input because the end result is an SQL query and the user input is promoted to SQL code, a legal input can crash your SQL query, a malicious input can crash or kill your database.

Never build an SQL query by concatenating strings. Sooner or later, you will do it with user inputs, and this opens door to a vulnerability named "SQL injection", it is dangerous for your database and error prone.
A single quote in a name and your program crash. If a user input a name like "Brian O'Conner" can crash your app, it is an SQL injection vulnerability, and the crash is the least of the problems, a malicious user input and it is promoted to SQL commands with all credentials.
SQL injection - Wikipedia[^]
SQL Injection[^]

这篇关于如何在C＃中验证http URL以避免在2013年的c＃.net中进行SQL注入攻击的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！