TableAdapters SQL注入 [英] TableAdapters SQL Injection
问题描述
我正在使用一个数据集,在该数据集中,我有一个表适配器。在表适配器中,我已将存储过程用作查询。如果我使用表适配器使用以下几行插入表单数据,是否可以安全地进行SQL注入?
Hi I am using a dataset and in that dataset I have a table adapter. In my table adapters I have used stored procedures as queries. If I use the following lines to insert form data using my table adapter, is it safe against SQL injection? Thanks.
UserDataSetTableAdapters.UserInformationTableAdapter myFactory = new TestProject.UserDataSetTableAdapters.UserInformationTableAdapter();
myFactory.spTest_InsertUserInformation(id, frmAddress);
推荐答案
如果不发布您的存储过程代码,则无法进行真正回答您的问题,但您可能可以自己回答。
Without posting your stored-procedure code, there's no way to truly answer your question, but you can probably answer it yourself.
SQL注入攻击源于用户输入的数据摆动它们进入动态生成和执行的SQL查询的方式。使用存储过程通常通过将参数作为参数传递来避免此问题,从而不会动态生成SQL。过程是自动封装的,不会成为原始SQL查询文本的一部分。
SQL injection attacks stem from user-entered data wiggling their way into dynamically-generated and executed SQL queries. Using a stored procedure generally avoids this problem by passing the arguments as parameters, thus not dynamically generating SQL. Procedures are automatically encapsulated and do not become part of your original SQL query text.
以以下示例为例:
SELECT *
FROM myTable
WHERE myId = @ID;
作为参数,您可以安全地设置 @ID 改为 21; DROP TABLE myTable;。它将为您转义,并将整个字符串与myId进行比较。但是,如果您动态生成SQL查询,例如
As a parameter, you're safe to set @ID to "21; DROP TABLE myTable;". It will get escaped for you and the entire string will be compared to myId. However, if you dynamically generate your SQL query like
string query = "SELECT *\nFROM myTable\nWHERE myId = " + userEnteredText + ";";
现在您将获得以下内容:
Now you'd get the following:
SELECT *
FROM myTable
WHERE myId = 21; DROP TABLE myTable;;
哎呀。
因此,要回答您的问题:如果存储过程没有根据其参数和 EXEC 的参数动态生成SQL,则应该是安全的。
So, to answer your question: IF your stored procedure doesn't dynamically generate SQL based on its parameters and EXEC them, you should be safe.
注意:当然,这依赖于.NET数据提供程序来调用带有参数的过程而不生成动态SQL语句。大多数方法都能正确执行此操作,但是如果您使用的是第三方提供商,则应在确保安全之前再次进行检查。
Note: This, of course, relies on your .NET data provider to be calling the procedure with parameters and not generating dynamic SQL statements. Most do this correctly, but if you're using a 3rd party provider, you should double-check this before assuming you're safe.
这篇关于TableAdapters SQL注入的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
