具有受限数据库访问权限的SQL Server和C#的安全性实践
[英]Security practices for SQL Server & C# with limited database access
问题描述
I have a project that I am working on that is essentially a self service database restoration / backup tool for client machines that run a database locally on their machines and contain sensitive information. 
我有一个正在进行的项目,该项目本质上是用于客户端计算机的自助数据库恢复/备份工具,该客户端计算机在其计算机上本地运行数据库并包含敏感信息。 Due to the nature of the business, and the amount of clients we have I simply cannot create stored procedures to use on the database with the program I am creating. 由于业务的性质以及我们拥有的客户数量,我根本无法创建要与正在创建的程序一起在数据库上使用的存储过程。
I am aware that using raw SQL statements in string format is highly susceptible to injection attacks. 我知道以字符串格式使用原始SQL语句很容易受到注入攻击。 But with limited access to a database (essentially just to restore and back-up the database) I am asking what is the most effective and secure method to run these commands without compromising security? 但是,在对数据库的访问受限的情况下(基本上只是为了还原和备份数据库),我想问的是在不损害安全性的情况下运行这些命令的最有效和最安全的方法是什么?
Clients would simply choose the option "restore" or "backup" and the backup would only create a full copy-only backup of the database. 客户端只需选择“还原”或“备份”选项,备份将只创建数据库的完全仅复制备份。 The file location for both the backup and the restore would be set in the code an be unmodifiable. 备份和还原的文件位置都将在代码中设置,并且无法修改。
1 个解决方案
解决方案1
1 已采纳 2015-07-27 21:55:33
然后只需使用参数化查询
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.