存储过程对SQL注入安全吗?
[英]Are stored procedures safe from SQL injections?
问题描述
I have a method that inserts records into the database using normal parameterized SQL query. 
我有一种使用普通的参数化SQL查询将记录插入数据库的方法。
public static void Add(string name, string friendlyName)
{
using (var db = Database.Open(_connectionString))
{
var sql = "INSERT INTO Tags(Name, UrlFriendlyName) " +
"VALUES(@0,@1)";
db.Execute(sql, name, friendlyName);
}
}
I changed the method so that it uses a stored procedure instead 我更改了方法,使其改为使用存储过程
public static void Add(string name, string friendlyName)
{
using (var db = Database.Open(_connectionString))
{
// USE STORED PROCEDURE
var query = "Exec insertTags @name='" + name + "', @urlFriendlyName= '" + friendlyName + "'";
db.Execute(query);
}
}
The stored procedure looks like the following 存储过程如下所示
CREATE PROCEDURE insertTags
@name nvarchar(25),
@urlFriendlyName nvarchar(25)
AS
BEGIN
BEGIN Transaction
BEGIN TRY
INSERT INTO dbo.Tags(Name, UrlFriendlyName)
VALUES(@name, @urlFriendlyName)
IF @@TRANCOUNT > 0
BEGIN COMMIT TRANSACTION;
END
END TRY
BEGIN CATCH
IF @@TRANCOUNT > 0
BEGIN ROLLBACK TRANSACTION;
END
END CATCH
END
Both of these methods work just fine. 这两种方法都可以正常工作。 My question is, does the method that utilize the stored procedure provide security against SQL injections like the first one does? 我的问题是,利用存储过程的方法是否像第一个一样提供了针对SQL注入的安全性? Thanks. 谢谢。
EDIT 编辑
I changed the second method to use parameters instead of string concatenation and it works. 我将第二种方法更改为使用参数而不是字符串连接,并且它可以工作。 Is this safe against SQL injections? 这样对SQL注入安全吗?
public static void Add(string name, string friendlyName)
{
using (var db = Database.Open(_connectionString))
{
// USE STORED PROCEDURE
var query = "Exec insertTags @0, @1";
db.Execute(query, name, friendlyName);
}
}
3 个解决方案
解决方案1
1 2015-01-08 09:19:45
You need to use parameters instead of string concatenations. 您需要使用参数而不是字符串串联。 In this case you will be safe 在这种情况下,您会很安全
解决方案2
0 2015-01-08 09:20:16
No, it doesn't. 不,不是。 As soon as you construct a SQL statement by concatenating strings together, you are at risk of SQL injection. 通过将字符串串联在一起构造SQL语句后,您就有可能遭受SQL注入。
For example: 例如:
"Exec insertTags @name='" + name
Someone could pass: "Anything'; DROP TABLE xxx;" 有人可以通过:“任何内容;删除表xxx;” for name, and potentially break your database. 的名称,并可能破坏您的数据库。 You can still use parameterized queries with stored procedures, so they can offer the same protection, just not in the way you're calling it in your example. 您仍然可以对存储过程使用参数化查询,因此它们可以提供相同的保护,只是不像您在示例中调用那样。
解决方案3
0 2015-01-08 09:24:07
Any use of string concatenation in your application even when using a stored procedure automatically makes the execution of that code vulnerable to SQL injection. 即使在使用存储过程时,在应用程序中对字符串连接的任何使用也会自动使该代码的执行容易受到SQL注入的攻击。
In ADO.NET, the correct method of executing a stored procedure is to use the DbCommand classes with the CommandType set to CommandType.StoredProcedure and providing the stored procedure parameters in the Parameters collection. 在ADO.NET中,执行存储过程的正确方法是使用CommandType设置为CommandType.StoredProcedure的DbCommand类,并在Parameters集合中提供存储过程的Parameters 。
Link to MSDN: System.Data.Common.DbCommand 链接到MSDN: System.Data.Common.DbCommand
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.