SQL注入的INSERT [英] SQL injection on INSERT
问题描述
我在我们公司内部网建立了一个小调查网页。这个网页是不能从外部访问。
I have created a small survey web page on our company Intranet. This web page is not accessible from the outside.
的形式是一个简单的几个单选按钮和一个评论框。
The form is simply a couple of radio buttons and a comments box.
我想保持良好的编码习惯,想防止SQL注入。
I would like to maintain good coding practices and would like to guard against SQL Injections.
能SQL注入攻击发生在从文本注释insert语句?
如果是这样,怎么可以用.NET 2.0我警惕呢?
Can SQL injections happen on a insert statement with comments from the textbox? If so, how can I guard against it using .NET 2.0?
推荐答案
注射可以发生在任何SQL语句无法正常运行。
Injection can happen on any SQL statement not run properly.
例如,让我们pretend您的评论表有两个字段,一个整数ID和注释字符串。所以你最好插入如下:
For example, let's pretend your comment table has two fields, an integer ID and the comment string. So you'd INSERT as follows:
INSERT INTO COMMENTS VALUES(122,'I like this website');
考虑别人进入以下评论:
Consider someone entering the following comment:
'); DELETE FROM users; --
如果你只是把注释字符串到SQL没有任何处理加工,这可能把你的单插入在以下两个语句后面的注释:
If you just put the comment string into the SQL without any processesing this could turn your single INSERT in to the following two statements followed by a comment:
INSERT INTO COMMENTS VALUES(123,''); DELETE FROM users; -- ');
这将删除一切从你的用户表。而且还有人愿意整天寻找合适的表名使用试验和错误和各种技巧为空。 这里是你如何执行SQL注入攻击的描述。
This would delete everything from your users table. And there are people willing to spend all day finding the right tablename to empty using trial and error and various tricks. Here's a description of how you could perform an SQL Injection attack.
您需要使用参数化的SQL语句以prevent这一点。
You need to use parameterized SQL statements to prevent this.
和这不仅是出于安全考虑。例如,如果你创建你的SQL语句天真的评论:
And this isn't just for security reasons. For example, if you're creating your SQL statements naively the following comment:
I'm just loving this website
将导致,因为那一撇是通过SQL PTED作为结束引号间$ P $的SQL语法错误。
would cause an SQL syntax error because of the apostrophe being interpreted by SQL as a closing quote.
这篇关于SQL注入的INSERT的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
