如何防止JS注入攻击 [英] how to prevent js injection attack

问题描述

你好，
我创建了一个简单的表单来按用户提交数据，
我发现有些用户错过了它并插入了60000条记录，
我不确定他如何在不到5分钟的时间内插入这些记录
我的表单在.net 3.5框架下，并且@page指令具有validaterequest ="true"
任何想法我怎么能提高我的应用程序安全性！

Hello there
I created a simple form to submit data by users,
i found that some user missed up with it and inserted 60000 record,
m not sure how he managed to insert these records in less than 5 min
my form is under .net 3.5 framework , and @page directive has validaterequest="true"
any idea how can i increase my application security!!!

推荐答案

不知道您的表单如何工作，很难回答，但是基本规则是:从不连接字符串以形成SQL命令-始终使用参数化查询.我不知道您的工作状况如何，但是在C#中，您将替换为:

Without knowing how your form works, it is difficult to answer, but the basic rules are: never ever concatenate strings to form SQL commands - always use parametrized queries. I don''t know how you are doing yours, but in C#, you would replace:

SqlCommand cmd = new SqlCommand("INSERT INTO myTable (textColumn) VALUES ('" + myTextBox.Text + "')", con);

与

SqlCommand cmd = new SqlCommand("INSERT INTO myTable (textColumn) VALUES (@TX)", con);
cmd.Parameters.AddWithValue("@TX", myTextBox.Text);

这篇关于如何防止JS注入攻击的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！