sql注入我的网站，影响我的数据库数据...请帮我解决问题 [英] sql injection in my website which effect my database data... please help me to short out the problem

问题描述

我的网站是在asp.net上有问题，任何人定期注入sql注入我没有从他用来注入这些脚本的地方。它也影响我的数据库和网站设计。我验证了一些输入框以限制脚本。

因此我需要一个限制在我的数据库中插入脚本的解决方案，一些监视插入数据库的所有数据的逻辑帮助我同样。

提前感谢。

my website is on asp.net and there is problem that any one inject the sql injection on regular basis i not getting from which place he use to inject these script. and it effect my database and web site design also. i validate some of input boxes to restrict the script.
so i need a solution which restrict to interring script in my database some logic which monitor all data which is inserting in database help me out for the same .
thanks in advance.

推荐答案

简单：始终使用参数化查询：

Simple: use parameterized queries at all times:

using (SqlConnection con = new SqlConnection(strConnect))
    {
    con.Open();
    using (SqlCommand com = new SqlCommand("INSERT INTO myTable (myColumn1, myColumn2) VALUES (@C1, @C2)", con))
        {
        com.Parameters.AddWithValue("@C1", myValueForColumn1);
        com.Parameters.AddWithValue("@C2", myValueForColumn2);
        com.ExecuteNonQuery();
        }
    }

或者：

Or:

Using con As New SqlConnection(strConnect)
    con.Open()
    Using com As New SqlCommand("INSERT INTO myTable (myColumn1, myColumn2) VALUES (@C1, @C2)", con)
        com.Parameters.AddWithValue("@C1", myValueForColumn1)
        com.Parameters.AddWithValue("@C2", myValueForColumn2)
        com.ExecuteNonQuery()
    End Using
End Using

您还必须为UPDATE，SELECT和类似的查询执行此操作。



如果连接字符串以形成SQL查询，则始终对SQL注入持开放态度。

You must also do this for UPDATE, SELECT and suchlike queries.

If you concatenate strings to form an SQL query, you are always wide open to SQL injection.

避免sql注入的一些提示...



不要使用 动态sql

使用 storeprocedures

不传递数据 使用查询字符串



快乐编码！

：）

some tips to avoid sql injection...

do not use dynamic sql
use storeprocedures
do not pass data using Query string

Happy Coding!
:)

数据库的安全性是任何项目都非常重要。以上两个答案可以作为关键点。进一步参考下面的链接，以获得帮助克服这个问题。



SQL注入攻击和一些如何预防它们的技巧 [ ^ ]



如何：保护ASP.NET中的SQL注入 [ ^ ]



了解SQL注入和创建SQL注入证明ASP.NET应用程序 [ ^ ]



在ADO.NET中防止SQL注入 [ ^ ]

Database secutity is very crucial part in any project.The above two answers can be considered as key points.Further refer to below links to get help overcome this issue.

SQL Injection Attacks and Some Tips on How to Prevent Them[^]

How To: Protect From SQL Injection in ASP.NET[^]

Understanding SQL Injection and Creating SQL Injection Proof ASP.NET Applications[^]

Preventing SQL Injection in ADO.NET[^]

这篇关于sql注入我的网站，影响我的数据库数据...请帮我解决问题的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！