这里有可能发生 SQL 注入吗?
这可能是一个非常愚蠢的问题,但我想为什么不......
我正在使用带有实体框架的 RIA 服务作为后端。我的应用程序中有一些地方接受用户输入并使用他们的数据直接询问 RIA 服务(以及 EF 和我的数据库)问题。这些层中的任何一层是否有助于防止安全问题,还是我应该自己清理数据?
例如,每当新用户在应用程序中注册时,我都会调用此方法:(
[Query]
public IEnumerable<EmailVerificationResult> VerifyUserWithEmailToken(string token)
{
using (UserService userService = new UserService())
{
// token came straight from the user, am I in trouble here passing it directly into
// my DomainService, should I verify the data here (or in UserService)?
User user = userService.GetUserByEmailVerificationToken(token);
...
}
}
我是否应该滚动自己的用户验证系统完全是另一个问题,我们正在采用 MS 的会员框架。我更感兴趣一般在 SQL 注入和 RIA 服务中)
This may be a really dumb question but I figure why not...
I am using RIA Services with Entity Framework as the back end. I have some places in my app where I accept user input and directly ask RIA Services (and in turn EF and in turn my database) questions using their data. Do any of these layers help prevent security issues or should I scrub my data myself?
For example, whenever a new user registers with the app, I call this method:
[Query]
public IEnumerable<EmailVerificationResult> VerifyUserWithEmailToken(string token)
{
using (UserService userService = new UserService())
{
// token came straight from the user, am I in trouble here passing it directly into
// my DomainService, should I verify the data here (or in UserService)?
User user = userService.GetUserByEmailVerificationToken(token);
...
}
}
(and whether I should be rolling my own user verification system is another issue altogether, we are in the process of adopting MS's membership framework. I'm more interested in sql injection and RIA services in general)
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
sql 注入基于生成原始 sql 字符串时使用的未转义字符串
,例如
容易受到攻击,因为
$name的值可能包含 ' 标记,从而修改 sql 语句的含义。一个很好的例子是 if $name is' OR 1=1; --因此进行sql查询:这对于绕过密码检查非常有用,我可以告诉你:)
正确的方法是将'字符转义为\'(对于mysql)。这就是为什么 php 等语言提供 mysql_real_escape_string 的原因。但是,如果您使用正确的参数化查询系统,那么您可以传递您喜欢的任何内容,并且库将正确转义它。
看看你的代码,没有理由检查
token的值,除非你的 UserService 做了一些狡猾的 sql 字符串生成(我确信实体框架没有这样做,所以你应该没问题)sql injection is based on unescaped strings being used when generating a raw sql string
eg
is vulnerable, because the value of
$namecould contain a ' mark and thus modify the meaning of the sql statement. a good example is if $name is' OR 1=1; --hence making that sql query :which is very useful for bypassing password checks i can tell you :)
the correct way around this is to escape the ' character to \' (for mysql). that is why languages such as php provide
mysql_real_escape_string. however, if you use a proper parameterised query system, then you can pass through anything you like and the library will escape it correctly.looking at your code, there's no reason to check the value of
tokenunless your UserService does some dodgy sql string generation (and i'm sure entity-framework is not doing that, so you should be just fine)EF 将为您对此进行参数化,但是如果您确实想确保启动
SQL Profiler并查看发送到 SQL Server 的内容EF will parameterize this for you, however if you really want to make sure start up
SQL Profilerand see what is being sent to SQL Server您应该是安全的,我确信 EF 正在生成参数化查询以从数据库中检索数据。
You should be safe, I'm sure EF is generating parametrized queries to retrieve the data from your database.