当我使用以下 SqlDataAdapter 时,是否需要担心插入/更新/删除/注入攻击?
[英]Do I have to worry about inserts/updates/deletes/injection attacks when I use the following SqlDataAdapter?
问题描述
Do I need to do anything in order to prevent inserts/updates/deletes/injection attacks when I'm using the following code?
当我使用以下代码时,是否需要采取任何措施来防止插入/更新/删除/注入攻击?
public static DataSet getReportDataSet(string sqlSelectStatement)
{
SqlDataAdapter da = new SqlDataAdapter(sqlSelectStatement, new SqlConnection(GlobalVars.ConnectionString));
DataSet reportData = new DataSet();
da.Fill(reportData, "reportData");
return reportData;
}
The idea behind this is that I'll be extracting the sql from a series of Crystal Reports, pulling the data for each report from the MS SQL Server, binding the data to the reports and then exporting the filled reports to PDF.这背后的想法是,我将从一系列 Crystal Reports 中提取 sql,从 MS SQL Server 中提取每个报表的数据,将数据绑定到报表,然后将填充的报表导出为 PDF。
I know that you can use the built in functionality to get the reports to pull their own data, but my tests have shown that pushing the data to the reports is a whole bunch faster.我知道您可以使用内置功能让报告提取自己的数据,但我的测试表明,将数据推送到报告的速度要快得多。 My only issue with this is that I have no control over the reports that will be ran.我唯一的问题是我无法控制将运行的报告。
People will be required to provide their own login credentials for the SQL Server, so they will only be able to see data from the databases that they have permissions to... but some of the users have write permissions, and I'm worried that blindly running an sql string pulled from a Crystal Report could potentially allow for an insert/update/delete/injection attack...人们将被要求为 SQL Server 提供他们自己的登录凭据,因此他们将只能看到他们有权访问的数据库中的数据……但有些用户具有写入权限,我担心盲目运行从 Crystal Report 中提取的 sql 字符串可能会导致插入/更新/删除/注入攻击......
I think that I might be worrying for nothing, but I can't find anything that outright states if this could be used for things aside from selects.我想我可能会担心什么,但是如果这可以用于除选择之外的其他事情,我找不到任何直接说明的内容。
Edit:编辑:
So from the initial comments, I think that I do have to worry about SQL statements aside from SELECTs.所以从最初的评论来看,我认为除了 SELECT 之外,我还必须担心 SQL 语句。 So my question now becomes;所以我的问题现在变成了; is there some whay to specify that an SqlConnection can only be used for 'reads' (ie Selects).是否有一些什么可以指定 SqlConnection 只能用于“读取”(即选择)。
2 个解决方案
解决方案1
2 2011-11-16 16:02:28
The problem is not the adapter.问题不是适配器。 The problem is, how you pass parameters to your sql command.问题是,如何将参数传递给 sql 命令。 You should not do things like你不应该做的事情一样
string sql = "SELECT * FROM t WHERE name='" + name +"'";
Instead use parameters:而是使用参数:
SqlCommand cmd = new SqlCommand(SELECT * FROM t WHERE name = @name", conn);
SqlParameter param = new SqlParameter();
param.ParameterName = "@name";
param.Value = "John Doe";
cmd.Parameters.Add(param);
解决方案2
1 已采纳 2011-11-16 15:58:58
In general I would say: Yes, you have to.一般来说,我会说:是的,你必须这样做。
But maybe Crystal Reports quotes the SQL-String already.但也许 Crystal Reports 已经引用了 SQL-String。 Try an "attack" by yourself and see what sqlSelectStatement contains.自己尝试“攻击”,看看sqlSelectStatement包含什么。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.