[英]DataBase Connection String Parameter Pollution fortify issue
我開發了一個工具,當我運行 fortify 時,我遇到了 6 個與 Db 連接字符串相關的關鍵問題,指出“將未經驗證的輸入連接到數據庫連接中可能允許攻擊者覆蓋請求參數的值。攻擊者可能是能夠覆蓋現有參數值、注入新參數或利用直接可達的變量。”
public bool sqlDbValidateUser(string databaseHostname, string databaseName, string databaseUsername, string databasePassword)
{
_logger.Info("starting sql DB validation");
string ConnectionString = "Data Source=" + databaseHostname + "; " +
"Initial Catalog=" + databaseName + ";" +
"User id=" + databaseUsername + ";" +
"Password=" + databasePassword + ";";
using (SqlConnection connection = new SqlConnection(ConnectionString))
{
try
{
connection.Open();
return true;
}
catch(Exception)
{
return false;
}
finally
{
if(connection !=null)
{
connection.Close();
}
}
}
}
使用 Sql 數據庫時,字符串連接是完全邪惡的。 做您正在嘗試的正確方法是,替換此代碼:
string connectionString = "Data Source=" + databaseHostname + "; " +
"Initial Catalog=" + databaseName + ";" +
"User id=" + databaseUsername + ";" +
"Password=" + databasePassword + ";";
使用此代碼:
string connectionString;
try
{
var builder = new SqlConnectionStringBuilder();
builder.DataSource = databaseHostname;
builder.InitialCatalog = databaseName;
builder.UserID = databaseUsername;
builder.Password = databasePassword;
connectionString = builder.ToString();
}
catch
{
return false;
}
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.