[英]Preventing SQL injections in a gridview
I want to double check to make sure that this is preventing the injections correctly. 我想仔细检查以确保这可以正确防止注射。
I have old code that uses a GridView (written by someone else a long, long time ago) in ASP .NET 3.5. 我有旧代码在ASP .NET 3.5中使用GridView(很久很久以前由其他人编写)。
In the .aspx page (the GridView uses this datasource): 在.aspx页面中(GridView使用此数据源):
<asp:SqlDataSource ID="sdsUserTables" runat="server"
ConnectionString="<%$ ConnectionStrings:Main %>"
DeleteCommand="DELETE FROM [MyTable] WHERE [tableID] = @tableID">
<DeleteParameters>
<asp:Parameter Name="tableid" Type="Int32" />
</DeleteParameters>
</asp:SqlDataSource>
Does this prevent injections on tableId? 这会阻止tableId上的注入吗?
The code behind has this: 背后的代码有:
protected void sdsUserTables_Deleting(object sender, SqlDataSourceCommandEventArgs e)
{
e.Command.Parameters["@tableId"].Value = myTableId;
}
yes, you're using a variable and it's type is declared, those two factors will prevent a SQL injection attack. 是的,你正在使用一个变量并声明它的类型,这两个因素将阻止SQL注入攻击。
See... http://www.mikesdotnetting.com/Article/113/Preventing-SQL-Injection-in-ASP.NET 请参阅... http://www.mikesdotnetting.com/Article/113/Preventing-SQL-Injection-in-ASP.NET
You can do the exact same thing by making your sql code into a stored procedure and passing a variable into that. 你可以通过将sql代码放入存储过程并将变量传递给它来完成同样的事情。
This code looks ok to me to prevent a SQL injection attack: 这段代码对我来说可以防止SQL注入攻击:
you are using a <asp:Parameter>
tag for your SQL query. 您正在为SQL查询使用
<asp:Parameter>
标记。 By this way, it will not be a part of the SQL command and will be sent to the SQL server as a parameter: this is the right way, regardless its type. 通过这种方式,它不会成为SQL命令的一部分,并将作为参数发送到SQL服务器:这是正确的方式,无论其类型如何。
the SQL command and the Connection String in the <asp:SqlDataSource>
tag will be embedded to the assembly: it will not be available to the user nor visible in the page. <asp:SqlDataSource>
标记中的SQL命令和连接字符串将嵌入到程序集中:它不可供用户使用,也不会在页面中显示。 So it cannot be tampered. 所以它不能被篡改。
If you want to enforce protection against SQL injection in general: 如果要强制执行针对SQL注入的保护:
Ensure that the [validateRequest][1]
parameter of your pages is set to "true": 确保页面的
[validateRequest][1]
参数设置为“true”:
// This parameter is normally set to "true" by default in the machine.config file
<pages validateRequest="true" />
For example: 例如:
// assuming myTableId is a string
try
{
int i = int.Parse(myTableId)
e.Command.Parameters["@tableId"].Value = i;
}
catch
{
throw new ApplicationException("Table Id should be an integer");
}
If your user inputs are strings, there is no need to check for every SQL keywords if you use parameters. 如果您的用户输入是字符串,则在使用参数时无需检查每个SQL关键字。
I think in the case of the example you gave above, you are definitely safe. 我想在你上面给出的例子中,你绝对安全。 It's always a best practice to sanitize your inputs.
清理您的输入始终是最佳做法。
Assuming that you have a form (of some type) with a textbox on it, that doesn't have a limit to the amount of text that can be typed in it (this could be potentially very bad). 假设你有一个带有文本框的表格(某种类型),它对可以在其中键入的文本数量没有限制(这可能非常糟糕)。
Here is an example: 这是一个例子:
sqlParameter sqlParam = new SqlParameter();
sqlParam.ParameterName = "@testParam";
sqlCommand.Parameters.AddWithValue("@testParam", textBox1.Text);
In the example above, once again assuming your textbox is unbound, the fact that you are stuffing the potentially malicious string into a parameter prevents the raw data from having an ill-effect on your table(s)/database(s). 在上面的示例中,再次假设您的文本框未绑定,您将潜在的恶意字符串填充到参数中的事实可防止原始数据对您的表/数据库产生不良影响。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.