是ASP.net __EVENTTARGET和__EVENTARGUMENT容易受到SQL注入？ [英] Are the ASP.net __EVENTTARGET and __EVENTARGUMENT susceptible to SQL injection?

问题描述

一个安全审查是对我们的ASP.net应用之一进行，在测试结果返回被认为是一个高风险的项目SQL注入暴露。

已执行的测试结果通过SQL语句作为__EVENTTARGET和__EVENTARGUMENT的值。我想知道，因为这些2值是用于框架的自动回传功能，并保持特定的启动回发的控制信息ASP.net自动生成的隐藏字段，是真的有SQL注入的潜力，如果您手动从不呼叫和或在您的code拉出这些参数的背后？

解决方案

  

..如果你是从来没有手动调用
  和拉力值超出这些
  在code后面的参数...

假设上述声明是真实的，我没有看到这些参数是容易受到SQL注入。也许你跑了一个自动扫描，这是一场虚惊？

A security review was done against one of our ASP.net applications and returned in the test results was a SQL Injection Exposures considered to be a high risk item.

The test that was performed passed a SQL statement as the value of the __EVENTTARGET and the __EVENTARGUMENT. I am wondering since these 2 values are ASP.net auto-generated hidden fields used for the Auto-Postback feature of the framework and hold information specific to the controls initiating the postback, is there really the potential for SQL injection if you are never manually calling and or pulling values out of these parameters in your code behind?

解决方案

..if you are never manually calling and or pulling values out of these parameters in your code behind...

Assuming the above statement to be true, I don't see those parameters being susceptible to SQL Injection. Perhaps you ran an automated scan and this is a false alarm?

这篇关于是ASP.net __EVENTTARGET和__EVENTARGUMENT容易受到SQL注入？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！