堆栈内存溢出
  简体   繁体   English

如何避免在网址中注入代码

[英]How to avoid code injection in web url

 原文  2012-01-10 16:20:43       c#/ security/ encryption

问题描述

I want to know if there is anyway to avoid sql injection or XSS while reading a url. 我想知道在读取URL时是否有避免SQL注入或XSS的方法。 For example: https://abc?ID= some unique guid 例如: https:// abc?ID =一些唯一的guid

How to avoid sql injection etc when entered instead of valid GUID. 如何避免输入有效的GUID时输入sql等。

5 个解决方案

解决方案1
 4 已采纳  2012-01-10 16:23:58

There are a few things you can do. 您可以做几件事。

  1. Start off using parameterized queries or a good ORM . 从使用参数化查询或良好的ORM开始
  2. Look into the C# AntiXSS library . 查看C#AntiXSS库
  3. Sanitize your input. 清理您的输入。

Read up on preventing SQL Injection 阅读有关防止SQL注入的信息

Further reading 进一步阅读

SQL Injection is bigger than just the portion you're asking about. SQL注入不仅仅是您要询问的部分。 You want to be aware of all data going in and coming out of your database. 您想知道所有进出数据库的数据。 Implement the suggestions above and you "should" be pretty covered. 实施上述建议,您就应该“被覆盖”。

When it comes to the subject of the original question ( ?id=[guid] ), you want to make sure you're using the System.Guid data type when submitting the query. 当涉及原始问题的主题( ?id=[guid] )时,您要确保在提交查询时正在使用System.Guid数据类型。 If the string is NOT a valid GUID, then you know that there's a problem and you shouldn't complete the request (IE: don't even send the request to your repository later, and definitely don't send it as far as the database). 如果该string 不是有效的GUID,则说明存在问题,您不应该完成请求(即:以后甚至不要将请求发送到存储库,并且绝对不要发送到数据库)。

解决方案2
 1  2012-01-10 16:25:53

Simple. 简单。 Always sanitize input. 始终清理输入。 Never implicitly trust or execute something received from an external source (user, client machine, etc.). 切勿隐式信任或执行从外部源(用户,客户端计算机等)接收到的内容。

In the case of a GUID, use the System.Guid datatype instead of a string. 对于GUID,请使用System.Guid数据类型而不是字符串。 That is, in the case of using it in a SQL query, never just concatenate the string representation of the GUID into the query. 也就是说,在SQL查询中使用它的情况下,切勿仅将GUID的字符串表示形式连接到查询中。 Use query parameters and pass it an actual System.Guid object, which was created from the received string. 使用查询参数 ,并将其传递给实际的System.Guid对象,该对象是从接收的字符串创建的。

If it fails to create an actual System.Guid when parsing the string, that's an indication of invalid input. 如果在解析字符串时未能创建实际的System.Guid ,则表明输入无效。 At that point you shouldn't even bother with trying to build the SQL query or using the data access layer in any way, just return an error to the user. 那时,您甚至不必费心尝试构建SQL查询或以任何方式使用数据访问层,只需向用户返回错误即可。

解决方案3
 0  2012-01-10 16:25:12

It sounds like ID would be a number. 听起来ID可能是数字。 If it was than it is easy -- just cast the contents to a number and use this typed variable from then on in. If there is something else in the contents the system will just return an error. 如果不是那么简单,则将内容转换为数字,然后使用此类型的变量。如果内容中还有其他内容,系统将仅返回错误。

解决方案4
 0  2012-01-10 16:25:50

The first thing you should do is make SQL injection impossible. 您应该做的第一件事是使SQL注入成为不可能。 From my understanding, this approach will not result in SQL Injection. 据我了解,这种方法不会导致SQL注入。 This is referred to as "Parameterized Inputs". 这称为“参数化输入”。 

 string commandText = "UPDATE Sales.Store SET Demographics = @demographics "
    + "WHERE CustomerID = @ID;";
 SqlCommand command = new SqlCommand(commandText, connection);
    command.Parameters.Add("@ID", SqlDbType.Int);
    command.Parameters["@ID"].Value = customerID;

    // Use AddWithValue to assign Demographics.
    // SQL Server will implicitly convert strings into XML.
    command.Parameters.AddWithValue("@demographics", demoXml);

The second approach, is to make the GUID not passed through the URL. 第二种方法是使GUID不通过URL传递。 This makes it extremely easy to modify, so you may want to pass this value through POST instead of GET. 这使得修改起来非常容易,因此您可能希望通过POST而不是GET传递此值。 Doing this will not protect from SQL injection, but it will make it a little bit more difficult, and will help to ensure data integrity. 这样做并不能防止SQL注入,但是会使它变得更加困难,并有助于确保数据完整性。

More information: http://msdn.microsoft.com/en-us/library/system.data.sqlclient.sqlcommand.parameters.aspx 详细信息: http : //msdn.microsoft.com/zh-cn/library/system.data.sqlclient.sqlcommand.parameters.aspx

解决方案5
 0  2012-01-10 16:29:02

Just don't pass the value in the ID query string parameter directly into the database. 只是不要将ID查询字符串参数中的值直接传递到数据库中。

You are using C# so you can use query parameters or something like the entity framework which will ensure that the data is formatted correctly for SQL Server (although it may not check whether it is a valid GUID - unless your underlying field or query type forces that) 您使用的是C#,因此您可以使用查询参数或类似实体框架的方法来确保为SQL Server正确格式化数据(尽管它可能不会检查它是否为有效的GUID,除非您的基础字段或查询类型强制执行该操作) )

For more information on SQL Injection Attacks, here's an article I wrote some years ago: http://colinmackay.co.uk/blog/2005/04/23/sql-injection-attacks-and-some-tips-on-how-to-prevent-them/ 有关SQL注入攻击的更多信息,这是几年前我写的一篇文章: http : //colinmackay.co.uk/blog/2005/04/23/sql-injection-attacks-and-some-tips-on-how -to-阻止,他们/

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何避免在应用程序的URL中注入脚本? - How to avoid this injection of script in the url of my application? 没有IOC的依赖注入-如何避免在生产代码中使用错误? - Dependency injection without IOC - How to avoid wrong usage in production code? 如何避免依赖注入构造函数的疯狂? - How to avoid Dependency Injection constructor madness? 使用WriteElementString时如何避免XML注入 - How to avoid XML Injection when using WriteElementString 从C#代码中避免在MSSQL Server上注入SQL的算法? - Algorithm to avoid SQL injection on MSSQL Server from C# code? 如何防止此代码中的 SQL 注入? - How to prevent SQL Injection in this code? 如何避免代码重复? - How to avoid code repeating? 如何避免重复代码? - How to avoid repeated code? 避免Web应用程序中代码重复的策略 - Strategies to avoid code duplication in web application 此查询是否存在SQL注入风险?如果是这样,我该如何避免呢? - Is there a SQL Injection risk with this query? If so, how can I avoid it?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM