需要在整个应用程序中纠正Sql Injection问题 [英] Need to rectify Sql Injection issue in whole application
问题描述
我有一个易于sql注入的应用程序。在形成查询时,它直接从控件或查询字符串中获取输入等。 />
现在我必须从整个应用程序中删除sql注入的风险。我知道有两种方法可以做到这一点:
1.使查询参数化
2.或者使存储过程
但问题是,如果我遵循上述两种方法中的任何一种,我必须进行大约12000个实例的更改。
我的问题是:
当实例计数为时,有没有其他方法可以做到这一点太大了?
Hi,
I have an application which is prone to sql injection.while forming the queries, its taking inputs directly from the controls or query string etc
Now I have to remove the risk of sql injection from the whole application. I know there are two ways to do that:
1. make the query parameterized
2. or make the stored procedures
But the problem is that, there are around 12000 instances where I have to make the changes, if I follow any of the above two methods.
My question here is:
Is there any other way to do this when the instance count is too big?
推荐答案
你可以过滤输入和转义输出。
这意味着您需要在存储数据时通过适当的验证和限制100%确定您保存到数据库的内容。
参考 -
1. 对ASP.NET应用程序进行黑客攻击 [ ^ ]。
2. 保护ASP.NET应用程序 [ ^ ]。
但是,我仍然建议你去参数化查询和存储过程。
这需要时间来构建,但肯定会保证你的应用程序安全。
谢谢...
You can "Filter Input And Escape Output".
That means you need to be 100% sure of what you are saving to your database by proper validations and restrictions while storing the data.
Refer -
1. Hack-Proofing Your ASP.NET Applications[^].
2. Securing Your ASP.NET Applications[^].
But, still I suggest you to go for parameterized query and Stored Procedures.
It will take time to build, but will secure your application for sure.
Thanks...
你是对的,这是一项可怕的愚蠢工作。我自己知道:我将所有代码从简单的字符串连接更改为参数化查询...
You are right that it is a terrible amount of stupid work to do. I know that myself: I changed all our code from simple string concatenation to parameterized queries...
这篇关于需要在整个应用程序中纠正Sql Injection问题的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!