经典ASP SQL注入防护 [英] Classic ASP SQL Injection Protection

问题描述

什么是防止SQL注入一个传统的ASP应用程序的新方式？

What is a strong way to protect against sql injection for a classic asp app?

仅供参考我使用它访问数据库。 （我没有写应用程序）

FYI I am using it with an access DB. (I didnt write the app)

推荐答案

存储过程和/或prepared语句：

Stored Procedures and/or prepared statements:

<一个href=\"http://stackoverflow.com/questions/1973/what-is-the-best-way-to-avoid-sql-injection-attacks\">http://stackoverflow.com/questions/1973/what-is-the-best-way-to-avoid-sql-injection-attacks

<一个href=\"http://stackoverflow.com/questions/139199/can-i-protect-against-sql-injection-by-escaping-single-quote-and-surrounding-us\">http://stackoverflow.com/questions/139199/can-i-protect-against-sql-injection-by-escaping-single-quote-and-surrounding-us

<一个href=\"http://stackoverflow.com/questions/1284/catching-sql-injection-and-other-malicious-web-requests\">http://stackoverflow.com/questions/1284/catching-sql-injection-and-other-malicious-web-requests

使用Access数据库，你仍然可以做到这一点，但如果你已经担心SQL注入，我想你需要下车访问反正。

With Access DB, you can still do it, but if you're already worried about SQL Injection, I think you need to get off Access anyway.

下面是访问技术的链接：

Here's a link to the technique in Access:

<一个href=\"http://www.asp101.com/samples/storedqueries.asp\">http://www.asp101.com/samples/storedqueries.asp

请注意什么通常注射保护不是存储过程本身，但事实上，它是参数化不是动态的。请记住，如果他们使用某些方法，建立动态code参数甚至是建立动态code的SP可以容易注入。总的来说，我preFER的SP，因为它们形成的界面层，应用程序到数据库中，这样的应用程序甚至不能在第一时间执行任意code。

Note that what typically protects from injection is not the stored procedure itself, but that fact that it is parameterized and not dynamic. Remember that even SPs which build dynamic code can be vulnerable to injection if they use parameters in certain ways to build the dynamic code. Overall, I prefer SPs because they form an interface layer which the applications get to the database, so the apps aren't even allowed to execute arbitrary code in the first place.

此外，存储过程的执行点可以是脆弱的，如果你不使用命令和参数，例如这仍然是脆弱的，因为它是动态生成的，可以是注入目标：

In addition, the execution point of the stored procedure can be vulnerable if you don't use command and parameters, e.g. this is still vulnerable because it's dynamically built and can be an injection target:

Conn.Execute("EXEC usp_ImOnlySafeIfYouCallMeRight '" + param1 + "', '" + param2 + "'") ;

记住，你的数据库需要保卫自己的边界，如果各种登录有权 INSERT / UPDATE / DELETE 表格，任何code在这些应用程序（或受损的应用程序）可能是一个潜在的问题。如果登录唯一有权利执行存储过程，这形成了一个漏斗，通过它可以更容易地确保正确的行为。 （以面向对象的概念，而对象负责它们的接口，不暴露他们所有的内部运作类似。）

Remember that your database needs to defend its own perimeter, and if various logins have rights to INSERT/UPDATE/DELETE in tables, any code in those applications (or compromised applications) can be a potential problem. If the logins only have rights to execute stored procedures, this forms a funnel through which you can much more easily ensure correct behavior. (Similar to OO concepts where objects are responsible for their interfaces and don't expose all their inner workings.)

这篇关于经典ASP SQL注入防护的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！