How to prevent Sql-Injection on User-Generated Sql Queries

前端 未结 15 1964
伪装坚强ぢ
伪装坚强ぢ 2021-02-10 11:55

I have a project (private, ASP.net website, password protected with https) where one of the requirements is that the user be able to enter Sql queries that will directly query t

15条回答
  •  庸人自扰
    2021-02-10 12:22

    If they don't have to perform really advanced queries you could provide a ui that only allows certain choices, like a drop down list with "update,delete,select" then the next ddl would automatically populate with a list of available tables etc.. similar to query builder in sql management studio.

    Then in your server side code you would convert these groups of ui elements into sql statements and use a parametrized query to stop malicious content

提交回复
热议问题