如何保护查询 [英] how to protect query
本文介绍了如何保护查询的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
如何保护下面的sql查询免受sql注入攻击,请建议我已经研究过sql注入,但是我没有得到
sql =从adminuserdata中选择*,其中username ="''&用户名& ""
how to protect below query of sql from sql injection attack please suggest i have studied the sql injection but i didnt get
sql="Select * from adminuserdata where username=''" & username & "''"
推荐答案
不知道您所使用的语言,很难超越常规.
但是,有两种保护自己免受SQL注入攻击的方法:
1)将字符编码为字符串,然后再对其进行解码.
2)参数化查询.
首先通过在显示数据之前替换对SQL具有重要意义的字符来进行工作:
";",&","[",]]",引号和双引号是明智的起始列表.因此,像"hello& there";-这样的字符串可能会以" hello& there& qt;≻--的形式呈现给数据库-在使用前必须先对字符串进行解码.
第二种方法是在SQL语句中提供占位符,在执行该占位符时会将其替换为参数.由于数据永远不会通过语句处理器传递,因此永远无法将其解释为命令.在C#中:
Without knowing the language you are using, it is very difficult to be more than general.
However, there are two ways to protect yourself from SQL Injection attacks:
1) Encoding characters in strings, and decoding them later.
2) Paramaterized queries.
The first works by replacing characters which can have significance to SQL before the data is presented:
'';'', ''&'', ''['', '']'', quote and double quote is s sensible starting list. So a string like "hello&there'';--" might be presented to the database as "hello&there&qt;≻--" - the string must then be decoded before use.
The second works by providing placeholders in the SQL statement which are replaced with parameters when it executes that. Since the data is never passed through the statement processor, it can never be interpreted as a command. In C#:
using (SqlConnection con = new SqlConnection(strConnect))
{
con.Open();
using (SqlCommand com = new SqlCommand("INSERT INTO myTable (myColumn1, myColumn2) VALUES (@C1, @C2)", con))
{
com.Parameters.AddWithValue("@C1", myValueForColumn1);
com.Parameters.AddWithValue("@C2", myValueForColumn2);
com.ExecuteNonQuery();
}
}
后者(通常)更易于使用,并且阅读起来更加清晰.它还不需要进行数据检索处理,也不会干扰用于防止基于HTML的攻击的任何编码!
The later is (generally) easier to use, and a lot clearer to read. It also requires no processing on data retrieval, and doesn''t interfere with any encoding used to prevent HTML based attacks!
这篇关于如何保护查询的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
