SQL注入prevention [英] SQL Injection Prevention

问题描述

我目前工作的一个传统的ASP项目中，安全已经成为一个大问题。它不仅是不安全的加密方法（MD5），但我很担心SQL注入问题。我不是很好的注入非常着呢，我已经试过这仅是我知道的基本知识。我发现其中固定任何用户输入的功能，但我想知道如果它实际上是做任何prevent注入攻击。下面是函数：

I'm currently working on a legacy ASP project where security has now become a large concern. Not only is it insecure encryption methods (md5), but I'm worried about SQL injection problems. I'm not very good with injection quite yet, and I've tried only the basics of what I know. I've found the function which "secures" any user input, but I'm wondering if it is actually doing anything to prevent injection attacks. Here is the function:

function sqlfix(input)
    if not isnull(input) and input <> "" then
        input = replace(input, ";", "&#59;")
        input = replace(input, "'", "&#39;")
        input = replace(input, """", "&#34;")
        input = replace(input, "(", "&#40;")
        input = replace(input, ")", "&#41;")
        input = replace(input, "|", "&#124;")
        input = replace(input, "<", "&#60;")
        input = replace(input, ">", "&#62;")
        input = replace(input , "'", "''")
        'input = Server.HTMLEncode(input)
        'input = Server.UrlEncode(input)
        sqlfix = input
    else
        sqlfix = ""
    end if
end function

我记得我做这样的事情很多年前，当我第一次开始mysql_ * PHP的功能，但现在我已经走上了PDO和参数绑定。不过，我不知道如何安全，这是为ASP应用程序。感谢您的任何意见。

I remember doing something like this many years ago when I first started PHP with mysql_* functions, but now I've moved onto PDO and parameter binding. However I don't know how safe this is for ASP applications. Thanks for any input.

推荐答案

不要落入字符串插值陷阱！它并不安全。

Don't fall into the string-interpolation trap! It's not secure.

您甚至可以在ASP经典用真实的SQL查询参数。

You can use real SQL query parameters even in ASP Classic.

我不是一个程序员ASP，但我发现这个博客用一个ADODB.Command对象参数化的SQL查询，并在执行前绑定值参数的一个明显的例子。

I'm not an ASP programmer, but I found this blog with a clear example of using an ADODB.Command object for a parameterized SQL query, and binding values to parameters before executing.

<一个href=\"http://securestate.blogspot.com/2008/09/classic-asp-sql-injection-$p$pvention_30.html\">http://securestate.blogspot.com/2008/09/classic-asp-sql-injection-$p$pvention_30.html

也看到这个问题的SO使用命名参数的一些例子：

Also see this SO question for some more examples of using named parameters:

<一个href=\"http://stackoverflow.com/questions/1092512/asp-classic-named-parameter-in-paramaterized-query-must-declare-the-scalar-vari\">ASP Classic在Paramaterized查询命名参数：必须声明标量变量

这篇关于SQL注入prevention的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！