Sql注入攻击和亚音速
[英]Sql Injection Attacks and Subsonic
问题描述
如果我使用SubSonic为我的Web项目创建DAL,我是否需要担心防止SQL注入攻击?
4 个解决方案
解决方案1
6 2009-05-05 08:04:06
不,SubSonic使用参数将数据传递到数据库,它负责这一点。
解决方案2
6 已采纳 2009-05-05 17:09:17
This depends on how you construct your queries. 
这取决于您构建查询的方式。 It is totally possible to write unsafe queries with subsonic if you don't use parameters. 如果不使用参数,完全可以用亚音速编写不安全的查询。
// Bad example:
string sql = "delete from Products where ProductName = " + rawUserInput;
QueryCommand qry = new QueryCommand(sql, Product.Schema.Provider.Name);
DataService.ExecuteQuery(qry);
// Should be:
string sql = "delete from Products where ProductName = @TargetName";
QueryCommand qry = new QueryCommand(sql, Product.Schema.Provider.Name);
qry.AddParamter("@TargetName", rawUserInput, DbType.String);
DataService.ExecuteQuery(qry);
解决方案3
4 2009-05-05 17:29:34
The Short answer is no. 最简洁的答案是不。 If you use the Subsonic Generated classes or the Subsonic.Select class to generate your queries/update/insert statements then you do not need to worry in that SubSonic uses Parameters correctly. 如果使用Subsonic Generated类或Subsonic.Select类生成查询/更新/插入语句,则无需担心SubSonic正确使用参数。
Paul did point out however that if you go out of your way to write unsafe SQL that SubSonic will allow you to. 保罗确实指出,如果你不遗余力地编写SubSonic允许你使用的不安全的SQL。 SubSonic isn't your mother it won't stop you it is more like your best friend, it will tell you not to but if you decide to do it that is your decision. SubSonic不是你的母亲,它不会阻止你它更像是你最好的朋友,它会告诉你不要,但如果你决定这样做,那就是你的决定。
解决方案4
1 2009-05-31 09:26:31
Just to re-present the example of Paul (if you FK constraints ) 只是为了重新呈现保罗的例子(如果你有FK约束)
string rawUserInput = "Queso Cabrales1";
#region BadExample
//string sql = "delete from Products where ProductName = " + rawUserInput;
////QueryCommand objQueryCommand = new QueryCommand(sql, Product.Schema.Provider.Name);
////DataService.ExecuteQuery(objQueryCommand);
#endregion BadExample
#region BetterExample
// Should be:
string sql = "update Products set ProductName = @ProductName where ProductName='Queso Cabrales'";
QueryCommand objQueryCommand = new QueryCommand(sql, Northwind.Product.Schema.Provider.Name);
objQueryCommand.AddParameter("@ProductName" , rawUserInput, DbType.String);
DataService.ExecuteQuery(objQueryCommand);
panGvHolder.Controls.Clear();
Query qry = Northwind.Product.CreateQuery();
qry.Columns.AddRange(Northwind.Product.Schema.Columns);
qry.WHERE("UnitPrice > 15").AND("UnitsInStock < 20 ");
//WHERE("UnitPrice > 15").AND("UnitsInStock < 30 ");
#endregion BetterExample
#region PresentResultsReplaceResponseWriteWithConsole.WriteLineForConsoleApp
using (IDataReader rdr = qry.ExecuteReader())
{
Response.Write("<table>");
while (rdr.Read())
{
Response.Write("<tr>");
for (int i = 0; i < rdr.FieldCount; i++)
{
Response.Write("<td>");
Response.Write(rdr[i].ToString() + " ");
Response.Write("<td>");
} //eof for
Response.Write("</br>");
Response.Write("</tr>");
}
Response.Write("<table>");
}
#endregion PresentResultsReplaceResponseWriteWithConsole.WriteLineForConsoleApp
} //eof method
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.