经典 ASP SQL 注入保护
对于经典的 ASP 应用程序来说,防止 sql 注入的有效方法是什么?
仅供参考,我将它与访问数据库一起使用。 (我没有写这个应用程序)
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
对于经典的 ASP 应用程序来说,防止 sql 注入的有效方法是什么?
仅供参考,我将它与访问数据库一起使用。 (我没有写这个应用程序)
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
发布评论
评论(8)
以下是我很久以前制作的几个 sqlinject 脚本,一个简单版本和一个扩展版本:
Here are a couple of sqlinject scripts I made a long time ago a simple version and a extended version:
使用参数化查询,您需要创建一个命令对象,为其分配参数名称和值,如果这样做,您就不需要担心其他任何事情(当然指的是sql注入;))
http://prepared-statement.blogspot.com/2006/02/asp- prepared-statements.html
并且不要信任存储过程,如果您不使用准备好的语句,它们也可能成为攻击媒介。
Using parametrized querys, you need to create a command object, assign it parameters with a name and a value, if you do so you wouldn't need to worry about anything else (refering to sql injection of course ;))
http://prepared-statement.blogspot.com/2006/02/asp-prepared-statements.html
And don't trust stored procedures, they can became a attack vector too if you don't use prepared statements.
“保护经典 ASP 应用程序免受 sql 注入的一个强有力的方法”是无情地验证所有输入。 时期。
单独的存储过程和/或不同的数据库系统并不一定等于良好的安全性。
MS 最近推出了一个 SQL 注入检查工具,可以查找查询中使用的未经验证的输入。 这就是你应该寻找的。
这是链接:
用于 SQL 注入工具的 Microsoft 源代码分析器可用于查找 ASP 代码中的 SQL 注入漏洞
"A strong way to protect against sql injection for a classic asp app" is to ruthlessly validate all input. Period.
Stored procedures alone and/or a different database system do not necessarily equal good security.
MS recently put out a SQL Injection Inspection tool that looks for unvalidated input that is used in a query. THAT is what you should be looking for.
Here's the link:
The Microsoft Source Code Analyzer for SQL Injection tool is available to find SQL injection vulnerabilities in ASP code
如果存储过程不是一个选项 - 即使它们是 - 彻底验证所有输入
if stored procedures are not an option - and even if they are - validate all inputs thoroughly
嘿,任何数据库都和使用它的开发人员一样好。
不多不少。
如果您是优秀的开发人员,您可以使用文本文件作为数据库来构建电子商务网站。
是的,它不会像 Oracle 驱动的网站那么好,但对于像家庭定制珠宝制造这样的小型企业来说,它会做得很好。
如果您是优秀的开发人员,您将不会在 ASP 页面上使用内联 SQL 语句。
即使在 Access 中,您也可以选择构建和使用查询。
通过数据验证存储过程以及 html 编码——是防止任何 SQL 注入攻击的最佳方法。
Hey, any database as good as developer who uses it.
Nothing more but nothing less.
If you are good developer you can build e-commerce site using text files as a database.
Yes it will not be as good as Oracle driven website but it will do just fine for small business like home based, custom jewelry manufacturing.
And if you are good developer you will not use inline SQL statements on your ASP pages.
Even in Access you have option to build and use queries..
Store procs with data verification, along with html encode -- is the best way to prevent any SQL Injection attacks.
用于 SQL 注入工具的 Microsoft 源代码分析器 可用于查找 ASP 代码中的 SQL 注入漏洞
The Microsoft Source Code Analyzer for SQL Injection tool is available to find SQL injection vulnerabilities in ASP code
至少切换到 SQL Express 是一个不错的选择。 这将使事情变得更加安全。 尽管使用参数和存储过程可以有很大帮助。 我还建议您仔细验证输入,以确保它们符合您的期望。
对于像数字这样的值,提取数字以验证它确实只是一个数字是相当容易的。 对 SQL 转义所有特殊字符。 这样做将阻止尝试的攻击发生。
Switching to SQL Express at the very least is a great option. It will make things much more secure. Even though using parameters and Stored Procedures can help greatly. I also recommend that you validate the inputs carefully to be sure they match what you're expecting.
For values like numbers it is fairly easy to extract the number to verify that it is indeed just a number. Escape all special characters for SQL. Doing this will prevent the attempted attack from working.
存储过程和/或准备好的语句:
https:// stackoverflow.com/questions/1973/what-is-the-best-way-to-avoid-sql-injection-attacks
我可以通过转义单引号并用单引号包围用户输入来防止 SQL 注入吗?
< a href="https://stackoverflow.com/questions/1284/捕捉-sql-injection-and-other-malicious-web-requests">捕获 SQL 注入和其他恶意 Web 请求
使用 Access DB,您可以仍然可以做到这一点,但如果您已经担心 SQL 注入,我认为您无论如何都需要摆脱 Access。
以下是 Access 中该技术的链接:
http://www.asp101.com/samples/storedqueries .asp
请注意,通常防止注入的不是存储过程本身,而是它是参数化的而不是动态的这一事实。 请记住,即使构建动态代码的 SP 如果以某种方式使用参数来构建动态代码,也可能容易受到注入攻击。 总的来说,我更喜欢 SP,因为它们形成了应用程序访问数据库的接口层,因此应用程序甚至不允许首先执行任意代码。
此外,如果不使用命令和参数,存储过程的执行点可能容易受到攻击,例如,这仍然容易受到攻击,因为它是动态构建的并且可能成为注入目标:
请记住,您的数据库需要保卫自己的边界,如果不同的登录名都有权在表中插入/更新/删除,那么这些应用程序(或受损的应用程序)中的任何代码都可能是潜在的问题。 如果登录名仅有权执行存储过程,则这会形成一个漏斗,通过它您可以更轻松地确保正确的行为。 (类似于 OO 概念,其中对象负责其接口并且不公开其所有内部工作原理。)
Stored Procedures and/or prepared statements:
https://stackoverflow.com/questions/1973/what-is-the-best-way-to-avoid-sql-injection-attacks
Can I protect against SQL Injection by escaping single-quote and surrounding user input with single-quotes?
Catching SQL Injection and other Malicious Web Requests
With Access DB, you can still do it, but if you're already worried about SQL Injection, I think you need to get off Access anyway.
Here's a link to the technique in Access:
http://www.asp101.com/samples/storedqueries.asp
Note that what typically protects from injection is not the stored procedure itself, but that fact that it is parameterized and not dynamic. Remember that even SPs which build dynamic code can be vulnerable to injection if they use parameters in certain ways to build the dynamic code. Overall, I prefer SPs because they form an interface layer which the applications get to the database, so the apps aren't even allowed to execute arbitrary code in the first place.
In addition, the execution point of the stored procedure can be vulnerable if you don't use command and parameters, e.g. this is still vulnerable because it's dynamically built and can be an injection target:
Remember that your database needs to defend its own perimeter, and if various logins have rights to
INSERT/UPDATE/DELETEin tables, any code in those applications (or compromised applications) can be a potential problem. If the logins only have rights to execute stored procedures, this forms a funnel through which you can much more easily ensure correct behavior. (Similar to OO concepts where objects are responsible for their interfaces and don't expose all their inner workings.)