SQL 注入 - Web 服务器上的全局过滤器 [英] SQL Injection - global filter on web server
问题描述
是否可以过滤包含 SQL 注入值的 Web 请求?
Is it possible to filter web requests that contain SQL injections values?
推荐答案
有 Web 应用程序防火墙或数据库防火墙尝试执行此操作.
There are Web Application Firewalls or Database Firewalls that attempt to do this.
您必须定义接受输入的模式,或者定义允许的文字输入列表.
You must define either patterns for accepting input, or else a list of literal inputs that are allowed.
其中一些产品的工作原理是让您通过在您知道没有 SQL 注入攻击发生的时间段运行您的应用来训练"它们,并记录已知合法的 SQL 查询.然后您关闭训练模式,随后防火墙将阻止任何与其允许的输入列表不匹配的内容.
Some of these products work by letting you "train" them by running your app during a time when you know there are no SQL injection attacks going on, and it records the SQL queries that are known to be legitimate. Then you turn off the training mode, and subsequently the firewall will block anything that doesn't match its list of inputs to allow.
此解决方案的问题:
如果您需要更改 Web 应用程序,则需要重新训练防火墙,然后才能部署您的应用程序.
If you need to change your web application, you need to re-train the firewall before you can deploy your app.
它限制您运行可以与此类列表匹配的 SQL 查询.如果您的 SQL 具有高度可变性(例如,动态查询在 WHERE 子句中有条件地执行额外连接或额外术语),则很难为允许的内容制定规则.
It limits you to run SQL queries that can be matched by such a list. If you have SQL that is highly variable (for example, dynamic queries that do extra joins or extra terms in the WHERE clause conditionally), it's hard to make rules for what to allow.
最终,您最好通过使用查询参数来保护自己免受代码中的 SQL 注入.
Ultimately, you're better off protecting yourself from SQL injection in code by using query parameters.
这是几乎所有关于 Stack Overflow 上 SQL 注入的问题的答案!
另请参阅我过去关于 Web 应用防火墙或数据库防火墙的一些回答:
See also some of my past answers on web app firewalls or database firewalls:
这篇关于SQL 注入 - Web 服务器上的全局过滤器的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
