stackoom
  简体   繁体   中英

How to protect against ASP.NET SQL Injections in SQL Azure

 原文  2014-08-28 22:16:28       c#/ sql/ asp.net/ sql-server/ azure

Question

I am interested in creating a connection between an ASP.NET website form and a SQL Azure database in the most secure way possible. The form is simply a contact form that needs to INSERT records into a database table. From what I have gathered so far, the most secure way to implement this is to create a separate login, and or a separate user in the database, and grant the user INSERT ONLY permissions on the schema in which to table is contained. I currently have an asp.net website and successfully have the application inserting data into the desired table, with the connection parameters for the azure account being those of the principle level login. Wouldnt it make sense to just create a different user/login for the application and save the principle login for SQL Server Management Studio? I have read that one of the common methods of avoiding SQL Injection threats is to have a stored procedure in the database. However, it seems to me that a smart idea woudl just be to create a limited user. What are some of the most secure approaches developers are taking in the Backend like SQL Azure ( Related to roles, users, and logins) to protect the website from intruders here, and from the app.config string data from being compromised?

Im currently using ASP.NET, SQL Azure, and C#. And I only use one control which is the contact control of an asp.net web form. The control is placed into multiple pages and has c# code behind. Hope this helps. Thank you in advance.

1 answers

solution1
 0  2014-08-28 22:24:02

Using ORM (such as Entity Framework or NHibernate) is the standard way to protect against sql-injections: it deals with proper parameter encoding.

Another way is using sql command parameters if you prefer avoiding ORM and using simple ADO.net access: this will encode insertions too.

Limiting user permissions can be useful generally, but not sufficient to protect from injections (as you can still inject a string to insert rubbish data).

Eg you build your query this way: 

var query = "INSERT INTO dbo.USERS(Name) values ('" + userNameFromForm + "')";

I can attack this by sending the following username: John') insert into dbo.USERS(Name) values ('rubbish which would result in the following query executed: 

INSERT INTO dbo.USERS(Name) values ('John') insert into dbo.USERS(Name) values ('rubbish')

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to protect against CSRF by default in ASP.NET MVC 4? How to protect against CSRF by default in ASP.NET Core How to protect against XSS in ASP.NET Core? How to publish asp.net project + Sql [First Migration] on azure How To Backup Microsoft Azure SQL Database Using ASP.NET How to connect asp.net Identity to SQL Azure Connecting asp.net Identity to SQL Azure Am I protected against SQL injections? How to deploy an ASP.NET Web App to Azure with an existing SQL Server database (Azure Data Studio) How to protect ASP.NET Web API 2
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM