参数化查询/不使用/使用查询
我这里的情况有点糟糕。我一直在使用商务服务器,它没有进行大量的清理/参数化。
我正在尝试构建查询以防止 SQL 注入,但是需要构建搜索对象上的搜索/where 子句等一些内容,并且没有参数化接口。
基本上,我无法参数化,但是如果可能的话,我希望能够使用相同的引擎来构建我的查询文本。除了编写我自己的参数化引擎(它可能仍然不如参数化查询)之外,还有其他方法可以做到这一点吗?
更新:示例
where 子句本质上必须构建为 sql 查询 where 子句:
CatalogSearch search = /// Create Search object from commerce server
search.WhereClause = string.Format("[cy_list_price] > {0} AND [Hide] is not NULL AND [DateOfIntroduction] BETWEEN '{1}' AND '{2}'", 12.99m, DateTime.Now.AddDays(-2), DateTime.Now);
*上面的示例是如何优化搜索,但是我们已经做了一些测试,该字符串是 未消毒。。
这就是我的问题所在,因为 .Format 中的任何输入都可能是用户输入,虽然我可以轻松地清理文本框中的输入,但我会错过边缘情况,这只是事物的本质。我在这里没有使用参数化查询的选项,因为 Commerce Server 在如何处理可扩展字段集(架构)和查询方面有一些疯狂的向后逻辑。自由文本搜索词已在某处预编译。 这意味着我无法直接访问 sql 表
我/喜欢/看到的是以下内容:
SqlCommand cmd = new SqlCommand("[cy_list_price] > @MinPrice AND [DateOfIntroduction] BETWEEN @StartDate AND @EndDate");
cmd.Parameters.AddWithValue("@MinPrice", 12.99m);
cmd.Parameters.AddWithValue("@StartDate", DateTime.Now.AddDays(-2));
cmd.Parameters.AddWithValue("@EndDate", DateTime.Now);
CatalogSearch search = /// constructor
search.WhereClause = cmd.ToSqlString();
I've got a bit of a poor situation here. I'm stuck working with commerce server, which doesn't do a whole lot of sanitization/parameterization.
I'm trying to build up my queries to prevent SQL Injection, however some things like the searches / where clause on the search object need to be built up, and there's no parameterized interface.
Basically, I cannot parameterize, however I was hoping to be able to use the same engine to BUILD my query text if possible. Is there a way to do this, aside from writing my own parameterizing engine which will probably still not be as good as parameterized queries?
Update: Example
The where clause has to be built up as a sql query where clause essentially:
CatalogSearch search = /// Create Search object from commerce server
search.WhereClause = string.Format("[cy_list_price] > {0} AND [Hide] is not NULL AND [DateOfIntroduction] BETWEEN '{1}' AND '{2}'", 12.99m, DateTime.Now.AddDays(-2), DateTime.Now);
*Above Example is how you refine the search, however we've done some testing, this string is NOT SANITIZED.
This is where my problem lies, because any of those inputs in the .Format could be user input, and while i can clean up my input from text-boxes easily, I'm going to miss edge cases, it's just the nature of things. I do not have the option here to use a parameterized query because Commerce Server has some insane backwards logic in how it handles the extensible set of fields (schema) & the free-text search words are pre-compiled somewhere. This means I cannot go directly to the sql tables
What i'd /love/ to see is something along the lines of:
SqlCommand cmd = new SqlCommand("[cy_list_price] > @MinPrice AND [DateOfIntroduction] BETWEEN @StartDate AND @EndDate");
cmd.Parameters.AddWithValue("@MinPrice", 12.99m);
cmd.Parameters.AddWithValue("@StartDate", DateTime.Now.AddDays(-2));
cmd.Parameters.AddWithValue("@EndDate", DateTime.Now);
CatalogSearch search = /// constructor
search.WhereClause = cmd.ToSqlString();
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
听起来您必须在构建查询之前亲自验证数据。我不是 .NET 人员,但在 CGI 世界中,我会使用以下内容来清理输入:
这将阻止我能想到的任何 SQL 注入,并且仍然允许使用通配符。唯一的问题是正则表达式很昂贵。
It sounds like you'll have to go old school and validate the data yourself before constructing the query. I'm not a .NET guy but in the CGI world I would sanitize the input with something like:
That will thwart any SQL injection I can think of and still allow wildcards. Only problem is the regexs are expensive.