正确保护编辑控件免受SQL注入和无意义字符的影响 [英] Properly protect edit control from SQL injection and nonsense characters

问题描述

介绍及相关信息：



我有一个编辑控件，用户应该进入公司名称。 编辑控件可识别区域设置。



问题：



我希望从 SQL注入攻击和用户输入无意义字符中正确保护它。



我努力解决问题：



我想放弃<我的子类化过程中code>冒号和分号以响应 WM_CHAR ，并再次执行验证以响应 EN_CHANGE 。如果出现问题，我会通知用户并禁用保存按钮。



由于我的应用程序可识别区域设置，我需要识别区域设置测试输入字符的函数。



到目前为止，我找到了 IsCharAlpha [ ^ ]和 IsCharAlphaNumeric [ ^ ]这似乎是语言环境感知（我的英语不是最好的，所以也许我误读了MSDN文件，我为此道歉。



我也在这里搜索过类似的问题，但没有找到。



问题：



将丢弃分号只做技巧，或者我需要采取其他一些角色需要考虑吗？



我是否在正确的轨道上进行了子类化+ EN_CHANGE 或者是否存在实现这个的更好方法是什么？如果有可以指出我正确的方向吗？



谢谢。



祝你好运。

INTRODUCTION AND RELEVANT INFORMATION:

I have an edit control in which user should enter a company name. Edit control is locale aware.

PROBLEM:

I wish to properly protect it from SQL injection attacks and from user entering nonsense characters.

MY EFFORTS TO SOLVE THE PROBLEM:

I was thinking of discarding colon, and semicolon in my subclassing procedure in response to WM_CHAR, and to perform the validation again in response to EN_CHANGE. If problem occurs I would inform the user and disable "Save" button.

Since my application is locale aware, I need locale aware functions for testing the input character.

So far I have found IsCharAlpha[^] and IsCharAlphaNumeric[^] which seem locale aware ( my English is not the best so maybe I have misread the MSDN documentation, I apologize for that ).

I have also searched here for similar questions but found none.

QUESTION:

Will discarding semicolon only do the trick, or I need to take some other characters into consideration?

Am I on the "right track" with subclassing + EN_CHANGE or is there a better way to achieve this? If there is can you point me in the right direction?

Thank you.

Best regards.

推荐答案

这个漏洞在这里得到了很好的解释，以及主要的补救措施：

http://xkcd.com/327 [ ^ ]，

http://en.wikipedia.org/wiki/SQL_injection [< a href =http://en.wikipedia.org/wiki/SQL_injectiontarget =_ blanktitle =New Window> ^ ]。



正如您所看到的，有效的补救措施是使用参数化语句并从';'中清除用户输入并且其他字符不可靠，烦人且不应使用。但是，您可以清理所有其他目的的输入，以确保输入有效数据。



对不起，我过去的答案主要是.NET和ADO.NET，但是你可以找到一些有用的想法：

在com.ExecuteNonQuery（）中重新启动EROR ; [ ^ ]，

hi name未显示在名称？ [ ^ ]。

-SA

This exploit is well explained here, as well as the major remedy:
http://xkcd.com/327[^],
http://en.wikipedia.org/wiki/SQL_injection[^].

As you can see, effective remedy is the use of parametrized statements and the sanitizing of user input from ';' and other characters cannot be reliable, bothersome and should not be used. However, you can sanitize the input of all other purposes, to ensure entering valid data.

Sorry, my past answers are mostly for .NET and ADO.NET, but you can find some useful ideas:
EROR IN UPATE in com.ExecuteNonQuery();[^],
hi name is not displaying in name?[^].

—SA

这篇关于正确保护编辑控件免受SQL注入和无意义字符的影响的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！