当 SP 包含动态 SQL 时,在基于 Linq 的存储过程调用中转义撇号
我注意到以下情况:
正在开发的 ASP.NET MVC 网站在对包含动态 SQL 的存储过程进行 LINQ 调用时收到 SQL 错误“未闭合的引号...”。
例如:
使用具有值 [n'for] 的参数 [filter_name] 调用 SP GetEmployees 会抛出此错误
我可以通过执行 .replace("'", "''") 来解决此问题,如下所示:
[Function(Name = "dbo.GetEmployees")]
public ISingleResult<EmployeeRow> GetEmployees(
[Parameter(DbType = "NVarChar(MAX)")] string filter_name)
{
IExecuteResult result = this.ExecuteMethodCall(this, ((MethodInfo)(MethodInfo.GetCurrentMethod())), filter_name.Replace("'", "''"));
return ((ISingleResult<EmployeeRow>)(result.ReturnValue));
}
现在,我不'不想遍历我所有的 SP 并手动执行此操作。 有没有一种方法可以使其成为适用于我现在和将来进行的所有 Linq SP 调用的一般规则?
另外,我还应该转义其他内容来防止 SQL 注入攻击吗?
编辑:
添加问题:这会给不包含动态sql的SP带来问题吗? 我的意思是,当我在数据库中添加该名称时,它会存储为 [n''for] 吗? 我刚刚意识到这可能是这种情况,然后我无论如何都必须手动进行
I noticed the following:
An ASP.NET MVC website under development gets an SQL error "Unclosed quotation mark ..." when it makes a LINQ call to a stored procedure that contains dynamic SQL.
For example:
SP GetEmployees called with parameter [filter_name] that has value [n'for] throws this error
I can fix the problem by doing a .replace("'", "''") like this:
[Function(Name = "dbo.GetEmployees")]
public ISingleResult<EmployeeRow> GetEmployees(
[Parameter(DbType = "NVarChar(MAX)")] string filter_name)
{
IExecuteResult result = this.ExecuteMethodCall(this, ((MethodInfo)(MethodInfo.GetCurrentMethod())), filter_name.Replace("'", "''"));
return ((ISingleResult<EmployeeRow>)(result.ReturnValue));
}
Now, I don't feel like going trough all my SPs and doing this manually.
Is there a way to make this a general rule that should be applied to all Linq SP calls I have now and will make in the future?
Also, is there something else I should be escaping to prevent SQL injection attacks?
EDIT:
Added question: Will this give problems with SPs that dont include dynamic sql?
I mean, when I add that name in the database, will it be stored as [n''for]?
I just realized this will probably be the case and then I'll have to do in manually anyway
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
我建议您放弃动态 SQL,因为这是问题的根源。
(我知道这可能会导致很多其他问题,而且可能是不可能的。)
除非你能保证你正在构建的动态 SQL 是安全的,(所以你在内部控制这个逻辑,用户不会传递任何内容),这将是一个问题。
如果filter_name 包含\' 或-- 会发生什么?
I suggest you move away from dynamic SQL, as that's the root of the problem.
(I know this might cause lots of other issues though, and might not be possible.)
Unless you can guarantee that the dynamic SQL you're building is safe, (so you control this logic internally, with nothing being passed through from the user), it's going to be a problem.
What would happen if filter_name contained a \' or --?
我将在这里对我自己的问题给出(可能的)答案。 (如果您同意,请在评论中告诉我)
这应该在 SP 内部处理似乎更正确。
应用程序不应该担心某个SP是否包含动态sql。
I'm going to give a (possible) answer here to my own question. (let me know in comments if you agree)
It seems more correct that this should be handled inside the SP.
The application should not have to worry about wether a certain SP contains dynamic sql or not.