发表新帖
发表新帖

How can I avoid SQL injection attacks in my ASP.NET application?

前端 未结
关注
16 1928
死守一世寂寞
死守一世寂寞 2020-11-27 20:16

I need to avoid being vulnerable to SQL injection in my ASP.NET application. How might I accomplish this?

相关标签:
16条回答
  • 感动是毒
    2020-11-27 20:35

    Everyone says "Use parameters". We'd have to say it less if it wasn't so perversely difficult.

    Use QueryFirst. The temptation to concatenate is removed, and the right way becomes the easiest way. You create a parameter just by typing @myParam in your SQL, the tool does the rest.

    disclaimer: I wrote QueryFirst

    0 讨论(0)
  • 情歌与酒
    2020-11-27 20:36

    Use Prepared Statements (link to an ASP.NET tutorial that uses prepared statements in the 'To add nodes for products' section). that's all there is to it.

    Well, that or use an ORM, like Linq to SQL or NHibernate, they internally use prepared statements.

    0 讨论(0)
  • 说谎
    2020-11-27 20:36

    As others have said, don't concatenate user input to create dynamic sql statements; always use parameterized SQL when using dynamic SQL. However I will point out that this rule also applies when creating dynamic sql inside of a stored proc. This fact is something people often overlook. They think they are safe because they are "using stored procedures."

    0 讨论(0)
  • 野的像风
    2020-11-27 20:44

    Hopefully, this will help:

    http://www.codersbarn.com/post/2008/11/01/ASPNET-Data-Input-Validation.aspx

    The short answer is to use parameterized queries.

    Anthony :-) www.codersbarn.com

    0 讨论(0)
  • 醉话见心
    2020-11-27 20:44

    Understand what exactly SQL Injection is and then never write anything that is vulnerable to it.

    0 讨论(0)
  • 小蘑菇
    2020-11-27 20:45

    Even though your question is very generic, a few rules always apply:

    • Use parameterized queries (SqlCommand with SqlParameter) and put user input into parameters.
    • Don't build SQL strings out of unchecked user input.
    • Don't assume you can build a sanitizing routine that can check user input for every kind of malformedness. Edge cases are easily forgotten. Checking numeric input may be simple enough to get you on the safe side, but for string input just use parameters.
    • Check for second-level vulnerabilites - don't build SQL query strings out of SQL table values if these values consist of user input.
    • Use stored procedures to encapsulate database operations.
    0 讨论(0)
 看不清?
提交回复
热议问题