SQL程序集和SQL注入
[英]SQL Assemblies and SQL Injections
问题描述
I have a couple of SQL CLR projects that are added into my SQL Server 2005 as assemblies. 
我有几个SQL CLR项目作为程序集添加到我的SQL Server 2005中。 They are accessed from my web app via stored procedures that fire off the assemblies. 它们可以通过我的Web应用程序通过存储过程来访问它们。
How and what are best practices for preventing SQL injections in my SQL assemblies? 在SQL程序集中阻止SQL注入的最佳实践是什么以及什么是最佳实践?
The assemblies have a bunch of code that builds crazy SQL statements (example): 程序集有一堆构建疯狂SQL语句的代码(例子):
sqlBuff.Append("SELECT ");
// Always put replicate weight values on the first.
sqlBuff.Append(colBuff.ToString());
sqlBuff.AppendLine(" FROM ");
String tableNames = colTabNameHelper.GetTableNameList(colNames);
String joinStr = colTabNameHelper.CreateJoinStr(tableNames);
sqlBuff.Append(joinStr);
sqlBuff.AppendLine(" WHERE (");
sqlBuff.Append(inMatrix.WeightVar);
Can I prevent injections here too? 我也可以在这里预防注射吗? Or does .NET/SQL Server help? 或.NET / SQL Server有帮助吗? Should I worry about this? 我应该担心吗?
1 个解决方案
解决方案1
2 已采纳 2012-11-30 01:23:30
The definitive way of avoiding injection attacks is to use Parameters . 避免注入攻击的最终方法是使用参数 。 Are you able to use these in the embedded assemblies? 你能在嵌入式组件中使用它们吗?
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.