ASP.NET Web应用程序的安全性 [英] Security of ASP.NET web applications

问题描述

在为Web应用程序提供安全性的同时，我们避免使用来自GUI的特殊字符输入。

但是任何客户端都希望在某些字段中允许特殊字符，然后如何处理特殊字符验证。

解决方案

http：// msdn.microsoft.com/en-us/library/330a99hc(v=vs.71).aspx [ ^ ]

http://msdn.microsoft.com/en-IN/library/330a99hc（v = VS.100）的.aspx [< a href =http://msdn.microsoft.com/en-IN/library/330a99hc(v=vs.100).aspx\"target =_ blanktitle =New Window> ^ ]

ASP.NET Web应用程序安全性审查：做'和&不要 [ ^ ]

我假设你正在谈论通过阻止用户输入用户名来阻止SQL注入



max;从客户删除;



例如？



但是后来你的顾客来了，想要进入被分号分隔的点燃物品？



基本上你只需要确保你不是无论输入的文本是什么，都容易受到注入攻击。



例如，不要通过连接来构建SQL字符串。



使用存储过程而不是直接SQL（优先级问题）



使用参数化查询



使用无法直接访问表的数据库用户（即仅通过SP和Vie WS）

While providing security to web applications we are avoiding special characters inputs from GUI.
But any client want to allowed the special characters in some fields then how to handle special characters validations.

解决方案

http://msdn.microsoft.com/en-us/library/330a99hc(v=vs.71).aspx[^]
http://msdn.microsoft.com/en-IN/library/330a99hc(v=vs.100).aspx[^]
ASP.NET web application security review: Do''s & Don''ts[^]

I''m assuming you are talking about preventing SQL injection by stopping users typing their user name as

max;delete from customer;

for example?

But then a customer of yours comes along and wants to enter a lit of items separated by semi-colons?

Essentially you just need to make sure you aren''t vulnerable to injection attacks regardless of the text entered.

Don''t build your SQL strings by concatenation, for example.

Use stored procedures rather than direct SQL (a matter of preference)

Use parameterised queries

Utilise a database user that does not have access to tables directly (i.e. only through SP and Views)

这篇关于ASP.NET Web应用程序的安全性的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！