如何避免 SQL 注入攻击? [英] How can I avoid SQL injection attacks?

问题描述

昨天我和一个开发人员交谈，他提到了一些关于限制数据库字段插入的事情，比如像 -- 这样的字符串(减号).

Yesterday I was speaking with a developer, and he mentioned something about restricting the insertions on database field, like, strings such as -- (minus minus).

在同一类型中，我知道这是一种转义 HTML 字符(如 <、> 等)的好方法，而不是 --.这是真的?我需要担心--、++吗?它更像是神话还是旧事?

At the same type, what I know is that is a good approach to escape HTML chars like <, > etc. Not --. Is this true? Do I have to worry about --, ++? Is it more like a myth or old stuff?

非常感谢所有的答案，这样很容易理解，因为我对这一切都很陌生.好吧，更具体地说，在这种情况下，我们的讨论是关于我们正在开发的 C# ASP.NET MVC 网站，所以那里有一个复杂的开户表格，其中包含重要信息，所以我不确定 MVC 是否使用 Linq与数据库的接口是否已经带有这种保护.所以如果有人能提供一些关于它的提示，那就太好了.再次感谢

Thanks a lot for all the answers, it's easy to understand like that since I'm kind of new to all of this. Well, to be more specific in this case our discussion was about and C# ASP.NET MVC website we're developing, so there's a complex open an account form in there with important information, so I'm not sure if MVC using Linq to interface with database already comes with this kind of protection or not. So if anyone could provides some hints about it, it would be great. Thanks again

推荐答案

避免 SQL 注入攻击的正确方法不是简单地禁止某些有问题的字符，而是使用参数化 SQL.简而言之，参数化 SQL 可防止数据库将原始用户输入作为 SQL 命令的一部分执行，从而防止执行诸如删除表"之类的用户输入.仅仅转义字符并不能阻止所有形式的 SQL 注入攻击，并且排除某些单词(例如Drop")并不适用于所有情况；可以有某些字段，其中Drop"是数据条目的完全有效的部分.

The proper way to avoid SQL Injection attacks is NOT to simply disallow certain problematic characters, but rather to use parameterized SQL. In short, parameterized SQL prevents the database from executing raw user input as part of the SQL command this prevents user input like "drop table" from being executed. Just escaping characters does not stop all forms of SQL injection attacks and excluding certain words such as "Drop" does not work in all cases; there can be certain fields where "Drop" is a perfectly valid part of the data entry.

你可以在这里找到一些关于参数化 SQL 的好文章:

You can find some good articles on the subject of paramaterized SQL here:

https://blog.codinghorror.com/give-me-parameterized-sql-or-give-me-death/

http://www.codeproject.com/KB/database/ParameterizingAdHocSQL.aspx

既然您提到您正在使用 ASP.net，我可以给您一些专门处理 ASP 中的 SQL 注入的链接.

Now that you mentioned that you are working with ASP.net I can give you some links that deal specifically with SQL Injection in ASP.

https://dzone.com/articles/aspnet-preventing-sql-injectiohttps://www.c-sharpcorner.com/UploadFile/75a48f/how-sql-injection-can-be-possible-in-asp-net-websites/

这是一篇关于使您的 ASP 更安全的更一般的文章:http://www.codeproject.com/KB/web-security/Securing_ASP_NET_Apps.aspx

Here is a more general article on making your ASP more secure: http://www.codeproject.com/KB/web-security/Securing_ASP_NET_Apps.aspx

当然还有关于 SQL 注入的 MSDN 文章:http://msdn.microsoft.com/en-us/library/ms998271.aspx

And, of course the MSDN article on SQL injection: http://msdn.microsoft.com/en-us/library/ms998271.aspx

这篇关于如何避免 SQL 注入攻击?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！