数据错误如何处理?
您如何处理需要限制为一组特定值的用户输入(unicode),并且您希望最大限度地降低将数据传递到下游的应用程序的风险。 例如,如果我将数据存储在 SQL 中,我会希望消除任何 SQL 注入的机会。 如果我要通过 HTTP 通过网络发送它,我想确保它不会使请求变形,等等。
我想我要问的是有没有通用的数据清理方法?
How do you deal with user input (unicode) that you need to be restricted to a certain set of values, and you want to minimize the risk to applications that you pass the data to further down the line. For example, if I were to store the data in SQL, I would want to remove any chance of a SQL injection. If I were to send it over the wire via HTTP, I would want to make sure it doesn't malform the request, etc..
I guess what I am asking is there any generic method for data sanitization?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
当涉及到危害系统的方法时,每个接口都有自己的问题。 如果您想安全起见,您将需要定制验证以适应当前上下文中相关的问题和/或威胁。
如果用户界面中的某个文本框应用于数字输入,请确保用户无法在其中键入(或粘贴)任何非数字内容。 如果使用某个控件从用户收集日期,请验证给定值确实是有效日期(也许它甚至应该落在某个范围内;也验证这一点)。
确保对在 http 请求中作为查询字符串值传递的任何内容进行 url 编码。 使用存储过程并将值作为参数传递给它们。
等等。 不幸的是,没有免费的午餐。
Each interface has its own problems when it comes to ways to compromise the system. If you want to play it safe you will need to tailor the validations to suit the problems and/or threats that are relevant in the current context.
If a certain text box in a user interface should be used for numeric input, make sure that the user cannot type (or paste) anything non-numeric into it. If a certain control is used to collect a date from the user, validate that the given value is indeed a valid date (perhaps it should even fall within a certain range; validate that too).
Make sure to url encode anything that is being passed as a query string value in a http request. Use stored procedures and pass the values as parameters to them.
And so on. There is no free lunch, unfortunately.
如果保存到数据库,这非常简单。 只需使用参数(DbParameter 对象) - 它们将保护您免受 SQL 注入,并且还会在必要时添加转义符号。
代码可以是这样的:
In case of saving to the database this is very simple. Just use parametes (DbParameter objects) - they will protect you from SQL injection and also will add escape symbols if necessary.
The code can be like this:
就像 nightcoder 所建议的那样,参数是避免 SQL 注入的方法。 如果您使用 SQL,请考虑使用 SqlClient 命名空间,因为它比 OleDb 命名空间更高效,并且是专门为 SQL Server 7 及更高版本创建的。
使用 nightcoder 的上述示例:
关于 SqlClient 命名空间,需要记住的一点是,如果您正在为较旧的系统(Win98)编写代码,那么可能会存在兼容性问题,从而使 OldDBxxx 成为更好的选择。
干杯!
Like nightcoder has suggested, parameters are the way to avoid SQL injection. If you're using SQL though, consider using the SqlClient namespace as it is more efficient than its OleDb counterpart and was created specifically for SQL Server 7 and up.
Using nightcoder's above example:
Something to keep in mind about the SqlClient namespace is that if you're writing for older systems (Win98), then there may be compatibility issues, making OldDBxxx the better choice.
Cheers!