How to prevent Sql-Injection on User-Generated Sql Queries

前端 未结 15 1971
伪装坚强ぢ
伪装坚强ぢ 2021-02-10 11:55

I have a project (private, ASP.net website, password protected with https) where one of the requirements is that the user be able to enter Sql queries that will directly query t

15条回答
  •  -上瘾入骨i
    2021-02-10 12:34

    This is a bad idea, and not just from an injection-prevention perspective. It's really easy for a user that doesn't know any better to accidentally run a query that will hog all your database resources (memory/cpu), effectively resulting in a denial of service attack.

    If you must allow this, it's best to keep a completely separate server for these queries, and use replication to keep it pretty close to an exact mirror of your production system. Of course, that won't work with your UPDATE requirement.

    But I want to say again: this just won't work. You can't protect your database if users can run ad hoc queries.

提交回复
热议问题