经典的 ASP SQL 注入保护 [英] Classic ASP SQL Injection Protection
问题描述
对于经典的 asp 应用程序来说,防止 sql 注入的强大方法是什么?
What is a strong way to protect against sql injection for a classic asp app?
仅供参考,我将它与访问数据库一起使用.(我没有写应用程序)
FYI I am using it with an access DB. (I didnt write the app)
推荐答案
存储过程和/或准备好的语句:
Stored Procedures and/or prepared statements:
https://stackoverflow.com/questions/1973/what-is-the-best-way-to-avoid-sql-injection-attacks
我可以保护吗通过转义单引号和用单引号包围用户输入来对抗 SQL 注入?
使用 Access DB,您仍然可以做到,但如果您已经担心 SQL 注入,我认为您无论如何都需要摆脱 Access.
With Access DB, you can still do it, but if you're already worried about SQL Injection, I think you need to get off Access anyway.
这是 Access 中技术的链接:
Here's a link to the technique in Access:
http://www.asp101.com/samples/storedqueries.asp
请注意,通常防止注入的不是存储过程本身,而是它是参数化的而不是动态的.请记住,即使是构建动态代码的 SP,如果它们以某种方式使用参数来构建动态代码,也可能容易受到注入攻击.总的来说,我更喜欢 SP,因为它们形成了应用程序访问数据库的接口层,因此应用程序甚至不允许首先执行任意代码.
Note that what typically protects from injection is not the stored procedure itself, but that fact that it is parameterized and not dynamic. Remember that even SPs which build dynamic code can be vulnerable to injection if they use parameters in certain ways to build the dynamic code. Overall, I prefer SPs because they form an interface layer which the applications get to the database, so the apps aren't even allowed to execute arbitrary code in the first place.
此外,如果不使用命令和参数,存储过程的执行点可能会受到攻击,例如这仍然容易受到攻击,因为它是动态构建的并且可以成为注入目标:
In addition, the execution point of the stored procedure can be vulnerable if you don't use command and parameters, e.g. this is still vulnerable because it's dynamically built and can be an injection target:
Conn.Execute("EXEC usp_ImOnlySafeIfYouCallMeRight '" + param1 + "', '" + param2 + "'") ;
请记住,您的数据库需要保护自己的边界,并且如果各种登录都有权在表中INSERT/UPDATE/DELETE,那么这些应用程序(或受感染应用程序)中的任何代码都可能成为潜在威胁问题.如果登录名只有执行存储过程的权限,这将形成一个漏斗,通过它您可以更轻松地确保正确的行为.(类似于 OO 概念,其中对象负责其接口并且不公开其所有内部工作.)
Remember that your database needs to defend its own perimeter, and if various logins have rights to INSERT/UPDATE/DELETE in tables, any code in those applications (or compromised applications) can be a potential problem. If the logins only have rights to execute stored procedures, this forms a funnel through which you can much more easily ensure correct behavior. (Similar to OO concepts where objects are responsible for their interfaces and don't expose all their inner workings.)
这篇关于经典的 ASP SQL 注入保护的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
