为 SQL WHERE 子句构建安全搜索条件

发布于 2024-08-13 20:48:35 字数 303 浏览 4 评论 0原文

我需要构建与 WHERE 子句一起使用的搜索条件。然后,此搜索条件会传递到不同的应用程序,作为 SQL 查询的一部分来执行。因为搜索条件可能非常复杂(包括子查询),所以我不相信接收应用程序可以智能地解析它们以防止 SQL 注入攻击。

最佳实践表明应使用参数化查询。当您使用命令对象自己执行查询时,效果很好。就我而言,我希望获取带有合并参数的查询字符串,并解析出我感兴趣的搜索子句。有没有办法做到这一点?

我使用 MS SQL Server,目前只需将我从调用者收到的字符串中的所有单引号替换为两个单引号。是否有更好的方法来实现一定程度的 SQL 注入攻击防护?

I need to build search conditions to be used with WHERE clause. This search condition is then passed to a different application to be executed as a part of SQL query. Because there search conditions can be quite complex (including sub-queries) I don't believe receiving application can intelligently parse them to prevent SQL injection attacks.

Best practices state that parametrized queries should be used. That works fine when you use command object to execute the query yourself. In my case I wish to obtain that query string with parameters merged into it, and parse out where search clause I am interested in. Is there a way to do this?

I work with MS SQL Server and currently simply replace all single quotes with two single quotes in string I receive from a caller. Is there a better way to achieve some level of protection from SQL injection attacks?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(3

永不分离 2024-08-20 20:48:35

查看这两个链接

此代码是否可以防止 SQL 注入?

< a href="https://stackoverflow.com/questions/1834396/proving-sql-injection">证明 SQL 注入

蓝海似她心 2024-08-20 20:48:35

OWASP 的一些指南

some guidelines from OWASP

人事已非 2024-08-20 20:48:35

我认为你很好:根据 SQL Server在线图书,单个单引号似乎是退出以单引号开头的带引号字符串的唯一方法。因此,将 ' 替换为 '' 应该足以避免通过 string 变量进行 SQL 注入。

我想不出任何方法可以通过其他非字符串本机C# 数据类型注入 SQL,如果它们正确(区域设置不变)转换为字符串。

尽管如此,参数化查询是“推荐”的解决方案。目前,您的应用程序似乎是这样组织的:

  1. A 部分根据用户输入创建一个 WHERE 语句。
  2. 包含此 WHERE 语句的字符串将传递到 B 部分。B
  3. 部分添加 SELECT 等并将其发送到 SQL Server。

是否可以选择像这样重写您的应用程序?

  1. A 部分创建一个参数化 WHERE 语句以及一组基于用户输入的参数。
  2. 包含 WHERE 语句的字符串以及包含参数的哈希表(或类似内容)将传递给 B 部分。B
  3. 部分创建命令,添加 SELECT 等,添加参数并将其发送到 SQL Server。

我遇到了类似的情况,并通过创建一个 SubSQL 类来解决它,该类基本上包含一个带有 CommandText 的参数化字符串和一个带有参数的哈希表。然后,您可以将其用作 mySubSQL.CommandText += ...mySubSQL.Parameters("@myfield") = myValuemySubSQL.MergeInto(myCommand) (实现应该是明显且直接的)。

I think you are fine: According to the SQL Server Books Online, a solitary single quote seems to be the only way to exit a quoted string that was started with a single quote. Thus, replacing ' with '' should suffice to avoid SQL injection through string variables.

I cannot think of any way to inject SQL through other, non-string native C# data types, if they are properly (locale-invariant) converted to strings.

Nevertheless, parameterized queries are the "recommended" solution. At the moment, your application seems to be organized like this:

  1. Part A creates a WHERE statement based on user input.
  2. A string containing this WHERE statement is passed to Part B.
  3. Part B adds SELECT etc. and sends it to SQL Server.

Would it be an option to rewrite your application like this?

  1. Part A creates a parameterized WHERE statement plus a set of parameters based on user input.
  2. A string containing the WHERE statement plus a Hashtable (or something similar) containing the parameters is passed to Part B.
  3. Part B creates a command, adds SELECT etc., adds the parameters and sends it to SQL Server.

I was in a similar situation and solved it by creating a SubSQL class, which basically contains a parameterized string with the CommandText and a hash table with the parameters. You could then use this as mySubSQL.CommandText += ..., mySubSQL.Parameters("@myfield") = myValue and mySubSQL.MergeInto(myCommand) (the implementation should be obvious and straight-forward).

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文