如何解决sql注入？ [英] How to solve sql injection ?

问题描述

嗨


如何使用参数化quries和asp.net解决sqlserver2008R2中的Sql Injection？



如果有的话知道PLZ指导我。我不知道这个。





提前致谢。

Hi
How to solve Sql Injection in sqlserver2008R2 with parameterized quries and asp.net?

If any one knows plz guide me .I don''t know about this.


Thanks in advance.

推荐答案

这是一个非常简单的C＃示例： http://www.dotnetperls.com/sqlparameter [ ^ ]



基本概念是：

如果使用如下语法构建查询： string query =SELECT some FROM FROM someTable WHERE someKey =''+ someKeyValue + '';

然后恶意sql代码可以输入someKeyValue然后使它成为你的数据库。这个恶意代码可能包含任何有效的sql语句，然后在sql server中解析并执行。



为了缓解这种情况，请使用sql参数。这将在内部消毒该输入值作为参数，并确保您不会遇到注射问题。

Here is a very simple C# example: http://www.dotnetperls.com/sqlparameter[^]

The basic concept is this:
If you build a query using syntax like this: string query = "SELECT something FROM someTable WHERE someKey = ''" + someKeyValue + "''";
then malicious sql code could be entered into someKeyValue and then make it''s way your database. This malicious code could include any valid sql statement that would then get parsed and executed in your sql server.

To alleviate this, use sql parameters. This will internally sanitize that input value as a parameter and will ensure that you don''t run into injection issues.

Hello Santosh，



据我所知，SQL注入可以在前端代码（ASP.NET / Codebehind）以及后端代码（存储过程/函数）中发生。

Front-结束

在前端，SQL注入的常见原因是没有使用参数化的quries（ SQLCommand ）。这意味着通过连接请求值来构造动态查询字符串。例如

Hello Santosh,

As far as I know, SQL injection can happens in front-end code (ASP.NET/Codebehind) as well backend code (Stored Proc/Functions).
Front-End
In front-end the common reason of SQL injection is not using parameterized quries (SQLCommand). What it means that dynamic query string are constructed by concatenating the request values. e.g.

strSQL = "SELECT * FROM user_table WHERE user_code = '" + Request["userCode"] + "' AND user_pass = '" + Request["userPass"] + "'";

在这种情况下，黑客可能会键入say password字段的值，使得生成的查询可能看起来像

In this case a hacker may type in values for say password field such that the resulting query may look like

SELECT * FROM user_table WHERE user_code = 'IUnknown' || user_code LIKE '%' -- AND user_pass = 'NOPASS'

解决此问题的一种方法，但不是重新推荐的方法是通过转义某些字符（''，，等等）来清理输入并生成动态SQL字符串。

首选方法是使用绑定变量（使用 SqlCommand ）。这种方式查询只包含占位符和值传递给数据库。这不仅有助于数据库服务器重用查询执行计划，而且还无需硬解析。



现在第二种类型的SQL注入由于绑定变量的使用不当而发生。在这种情况下，前端代码使用绑定变量来调用存储过程。存储过程通过连接值再次构造动态查询。所以要​​防止这种情况你必须在你的存储过程中使用参数化的queires。 Oracle数据库的典型示例是

One way to solve this, but not reommended is to sanitize the input by escaping certain characters ('',",| etc.) and generate the dynamic SQL string.
The preferrd way is to use bind variables (parameterized quries using SqlCommand). This way query only contains the placeholders and values are passed to the database. This not only helps databse server to reuse the query execution plan but also removes the need of hard parsing.

Now second type of SQL injection happens due to improper use of bind variables. In this case the front-end code is using the bind variables to say invoke a stored proc. Inside this stored procedure a dynamic query is getting constructed again by concatenating the values. So to prevent this agin you have to use parameterized queires inside your stored proc. A typical example for Oracle database will be

select * from emp where deptno = :deptno;

注意：deptno实际上是指一个变量，它可能是传递给存储过程的参数。



请查看网站并查看他们的安全编码惯例指南了解更多关于其他类型的vlunarabilities。



还有一个类似的指南微软。



问候，

Note that :deptno actually refers to a variable whch might be a paramter passed to the stored proc.

Please also look at site and go through their Secure Coding Practices guide to know more about other types of vlunarabilities.

There is also a similar guide by Microsoft.

Regards,

这篇关于如何解决sql注入？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！