SQL注入解决方案 [英] SQL injection solution

问题描述

大家好.
谁能向我解释如何总体上提高针对SQL注入和黑客的编码，这意味着如何设计与SQL注入黑客隔离的安全网站或Windows应用程序?
例如，我在登录表单后面插入了一个函数，用于删除用户名和密码中的危险字符.

 静态 公共 字符串 MakeSafeData(字符串 Unsafe_String)
    {
        字符串 Safe_String = 空；
        字符串 [] Valid_Chars = 新 字符串 [  36 ] {
                     " ，"  1"，  2"，" ，" ，" ，  6"，  7 "，  8"，  9"，
                     " ，"  b"，  c"，" ，" ，" ，  g"，  h "，  i"，  j"，
                     " ，"  l"，  m"，" ，" ，" ，  q"，  r "，  s"，  t"，
                     " ，"  v"，  w"，" ，" ，" };

        // 删除不安全字符
         for ( int  c =  0 ; c <  Unsafe_String.Length; c ++)
        {
             foreach (字符串 s  in 中的有效字符)
            {
                如果(Unsafe_String [c] .ToString()== s ||
                    Unsafe_String [c] .ToString()== s.ToUpper())
                {
                    Safe_String + = Unsafe_String [c];
                }
            }
        }

        返回 Safe_String;
    } 

解决方案

一行中，为避免SQL注入，请在查询中使用SqlParameter.对于演示，您可以查看以下视频 [ SqlParameter 而不是像上面这样的字符串验证.

检查以下与上述相关的QnA，所有建议使用sqlparameters的答案
http://stackoverflow.com/questions/2329499/regex-for-detecting- sql-injections-in-winforms [ ^ ]
http://stackoverflow.com/questions/5495753/do-sql-injection-works- in-winforms [^ ]

最好的方法是:永远不要将字符串连接起来以形成SQL查询.如果您始终使用参数化查询，那么您就不会受到SQL Injection攻击的任何威胁，而且不必更改任何字符.

话虽如此，您做事的方式效率很低:
1)使用StringBuilder而不是字符串来组合零件中的字符串.字符串是不可变的:构造字符串后不能更改，因此，每次添加字符时，生成的新字符串的长度都将比原来更长，并且复制数据.这是一种非常非常低效的方法！
2)您不需要比较数组的本地数据-使用类级别static代替，它只构造一次，而不是每次调用该方法时都要构造.
3)如果使用List代替array，则它具有Contains方法！
4)如果您仍然使用char而不是string进行比较，则无需通过不必要的ToString调用浪费时间:

 私有 静态  char  [] Valid_Chars = 新  char  [] {
              '  0'，'  1'，'  2'，'  3'，' ' ' ' '  8'，'  9'，
              '  a'，'  b'，'  c'，'  d'，' ' ' ' '  i'，'  j'，
              '  k'，'  l'，'  m'，'  n'，' ' ' ' '  s'，'  t'，
              '  u'，'  v'，'  w'，'  x'，' ' 私有 静态列表< char>有效= 新列表< char>(Valid_Chars);

 静态 公共 字符串 MakeSafeData(字符串 Unsafe_String)
     {
     StringBuilder sb = 新 StringBuilder();
      foreach ( char  c  in 中的Unsafe_String)
         {
         如果(有效.包含(c)||有效.包含(>  .ToLower(c)))
             {
             sb.Append(c);
             }
         }
     返回 sb.ToString();
     } 

[edit]应该是ToLower而不是ToUpper以匹配比较列表中的字符-OriginalGriff [/edit]

Hello everybody.
Who can explain me how to generally improve my coding against SQL injection and hackers.It means how to design a secure website or windows application that is isolated from SQL injection hackers?
for example i insert a function behind the log in form that remove dangerous characters from username and password.

static public string MakeSafeData(string Unsafe_String)
    {
        string Safe_String = null;
        string[] Valid_Chars = new string[36] { 
                     "0", "1", "2", "3", "4", "5", "6", "7", "8", "9",
                     "a", "b", "c", "d", "e", "f", "g", "h", "i", "j", 
                     "k", "l", "m", "n", "o", "p", "q", "r", "s", "t",
                     "u", "v", "w", "x", "y", "z" };

        //remove Unsafe Characters
        for (int c = 0; c < Unsafe_String.Length; c++)
        {
            foreach (string s in Valid_Chars)
            {
                if (Unsafe_String[c].ToString() == s || 
                    Unsafe_String[c].ToString() == s.ToUpper())
                {
                    Safe_String += Unsafe_String[c];
                }
            }
        }

        return Safe_String;
    }

解决方案

In one line, to avoid SQL Injectioning use SqlParameter in queries. For a demo, you can check out the following video[^] it also has a sample source to download which you can have a look at.

Prevent SQL Injection use always SqlParameter instead of string validations like above.

check below QnA related to above, all answers suggesting to use sqlparameters
http://stackoverflow.com/questions/2329499/regex-for-detecting-sql-injections-in-winforms[^]
http://stackoverflow.com/questions/5495753/do-sql-injection-works-in-winforms[^]

The best way is: never concatenate strings to form SQL queries. If you always use parametrised queries, then you leave nothing open to SQL Injection attack, and you don''t have to change any characters.

Having said that, the way you are doing things is very inefficient:
1) Use a StringBuilder instead of a string to assemble strings from parts. Strings are immutable: they cannot be changed after they are constructed, so each time you add a character you generate a new string a character longer than it was and copy the data over. This is a very, very inefficient way to do it!
2) You don''t need local data for your comparison array - use a class level static instead, and it is constructed once, instead of each time the method is called.
3) If you use a List instead of an array, it has a Contains method!
4) If you use char instead of string for your comparison anyway, you don''t need to waset time with unecesary ToString calls:

private static char[] Valid_Chars = new char[] {
              '0', '1', '2', '3', '4', '5', '6', '7', '8', '9',
              'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j',
              'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't',
              'u', 'v', 'w', 'x', 'y', 'z' };
 private static List<char> valid = new List<char>(Valid_Chars);

 static public string MakeSafeData(string Unsafe_String)
     {
     StringBuilder sb = new StringBuilder();
     foreach (char c in Unsafe_String)
         {
         if (valid.Contains(c) || valid.Contains(char.ToLower(c)))
             {
             sb.Append(c);
             }
         }
     return sb.ToString();
     }

[edit]Should have been ToLower not ToUpper to match characters in compare list - OriginalGriff[/edit]

这篇关于SQL注入解决方案的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！