这些 SQL 查询是否会受到 SQL 注入攻击?
在一些友好的 Stack Overflow 成员的大力帮助下(特别感谢 Martin B 和 Kev Chadders),我重新编写了我的代码。我现在想检查我的代码在完成这项工作后是否仍然对 SQL 注入开放。我相信代码现在可以正常工作,但是您看到的任何令人眼花缭乱的错误我也很想听听。我的代码现在看起来像:
-code removed-
I have re-written my code after great help from some friendly stack overflow members (big thanks to Martin B and Kev Chadders especially). I would now like to check if my code is still open to SQL Injections after this work. I believe the code is now working as it should, but any blinding errors that you see i'd love to hear about too. My code is now looking like:
-code removed-
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(5)
看起来您可以免受 SQL 注入攻击,但像这样的代码:
and:
可能会让您遭受其他形式的攻击,例如 XSS。您应该设置 ASP.NET 控件的文本元素,而不是直接写入页面。
It seems you are safe from SQL injection attacks, but code like this:
and:
could leave you open for other forms of attack such as XSS. You should set the text element of an ASP.NET control, not directly write to the page.
对我来说似乎不错。
基本上,如果您不连接 SQL 字符串并使用参数化查询,则可以安全地抵御 SQL 注入攻击。
Seems fine to me.
Basically, if you don't concatenate SQL string and uses parametrized queries, you're safe against SQL injection attacks.
您正在使用 SqlParameters ,它有效地删除所有SQL注入问题。
You're using SqlParameters which effectively removes all SQL injection issues.
您可以运行静态代码分析工具 CAT.NET 来识别项目中的所有 XSS 和 SQL 注入向量,包括引用的程序集。
http://www.microsoft.com/downloads/details.aspx microsoft.com/downloads/details.aspx?FamilyId=0178e2ef-9da8-445e-9348-c93f24cc9f9d&displaylang=en
报告通常会带来一些有趣的阅读体验。
You can run the static code analysis tool CAT.NET to identify all XSS and SQL injection vectors accross a project, including referenced assemblies.
http://www.microsoft.com/downloads/details.aspx?FamilyId=0178e2ef-9da8-445e-9348-c93f24cc9f9d&displaylang=en
Reports usually make for some interesting reading.
您应该运行扫描程序来检查潜在的 SQL 注入漏洞。我有一些运气 http://sqlmap.sourceforge.net/
You should run a scanner to check for potential SQL injection vulnerabilities. I have had some luck with http://sqlmap.sourceforge.net/