asp.net 能否防御 sql 注入攻击
默认情况下,在使用 ASP 控件时,ASP.net 是否可以防止 SQL 注入攻击?
By default does ASP.net protect against SQL injection attacks when using ASP controls?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(7)
不会。只要您提供 SQL,您就可以明智地使用这些控件。
这通常意味着清理输入并在动态 SQL 字符串上使用参数化查询或存储过程。
如果控件正在为您生成查询(如会员控件等),那么您就会受到很好的保护。
No. As long as you're supplying the SQL, it's up to you to be smart in how you use the controls.
That usually means sanitizing input and using Parameterized Queries or Stored Procedures over dynamic SQL strings.
If the control is generating the queries for you (like the Membership Controls, etc.) then you're well protected.
是和不是。
ADO.NET 对参数化有很好的支持,当你正确使用它时,参数值将被自动清理以防止 SQL 注入。因此,您可以向
SqlCommand
(或SqlDataSource
控件)添加参数,而不必太担心其中的内容。好消息是参数化你的东西真的很容易。我将向您展示一个以编程方式执行此操作的 C# 示例,但是您也可以以声明方式执行此操作。如果您愿意,可以使用服务器控件。
坏消息是,就像其他事情一样,您仍然需要考虑自己在做什么。如果您想获得任何安全性,则来自不安全来源的任何字符串都必须参数化。如果将其逐字粘贴到查询中,您将绕过 ADO.NET 的安全功能。
安全:
不安全:
如果 SQL 查询中的任何内容直接来自用户,则需要将其放入参数中,否则一切都将失败。就像几乎所有其他事情一样,如果您真的想的话,可能会搬起石头砸自己的脚。例如,您可以获取 SQL 代码,将其放入参数中,然后将其传递给 SQL <代码> EXEC语句。但你不会那样做,对吧,因为这是一个非常糟糕的主意。
仍然不安全(是的,我在生产代码中看到了这一点)!
TL;DR: ADO.NET 具有阻止 SQL 注入的强大功能,但前提是您使用它们正确。
Yes and no.
ADO.NET has very good support for parameterization, and when you use it properly, the parameter values will be automatically sanitized to prevent SQL injection. So you can add parameters to a
SqlCommand
(or aSqlDataSource
control) without worrying too much about what's in them.The good news is that parameterizing your stuff is really easy. I'll show you a C# example for doing it programmatically, but you can do it declaratively with server controls if you prefer.
The bad news is that just like anything else, you still need to think about what you're doing. Any string from an unsafe source must be parameterized if you want to have any security. If you paste it verbatim into the query, you'll have bypassed ADO.NET's security features.
Secure:
Not secure:
If anything in your SQL query comes straight from the user, you need to put it in a parameter or all bets are off. And just like almost anything else, it's possible to shoot yourself in the foot if you really want to. For example, you could take SQL code, put it in a parameter, and pass it to a SQL
EXEC
statement. But you wouldn't do that, would you, because it is a Very Bad Idea.Still not secure (yes, I saw this in production code)!
TL;DR: ADO.NET has great features to stop SQL injection, but only if you to use them correctly.
大多数 ASP.Net 控件(DataGrid 除外)根本不使用 SQL。
如果您的代码中有自己的 SQL(使用
SqlCommand
),您不会获得任何免费的保护;你需要使用参数。少数使用 SQL 的控件(SqlDataSource 和成员资格框架)确实使用参数并且可以安全地防止注入。
Most ASP.Net controls (except for DataGrid) do not use SQL at all.
If you have your own SQL in your code (using
SqlCommand
s), you don't get any free protection; you need to use parameters.The few controls that do use SQL (SqlDataSource and the membership framework) do use parameters and are safe against injection.
ASP.NET 不能防止 SQL 注入!
ASP.NET 只是 Web 应用程序的框架,它并不规定您访问数据库的方式。这取决于您如何实现数据访问:
可能我在答案中忘记提及很多内容,但您可以看到答案是:“这取决于”
ASP.NET does not protect against SQL injections!
ASP.NET is just the framework for web applications and it does not dictate in what way you access your database. It depends on how you implement your data access:
Probably I forgot to mention a lot in my answer, but you can see that the answer is: "it depends"
如果您始终使用
SqlParameter
,并且从不将用户输入连接到 SQL 中,那么您应该是安全的。您也可以使用SqlParameter
而无需存储过程。If you always use
SqlParameter
s, and never concatenate user input into SQL, you should be safe. You can useSqlParameter
s without stored procedures too.不,ASP.Net 不能防止 SQL 注入。 MS 为 ASP.NEt 控件提供的代码应该是免 SQL 注入的,但这并不能阻止开发人员可能陷入的所有问题。最好的防御是充分理解 SQL 注入并仔细编码。当由于某种原因无法实现这一点时,有一些工具可以提供帮助,例如 Microsoft 代码分析工具 .NET (CAT.NET)。这是一个免费的VS插件,可以分析生成的程序集并检测SQL注入、XSS和XPath注入风险。这样的工具并非万无一失,但总比没有好得多。
No, ASP.Net does not protect against SQL Injections. The MS shipped code for the ASP.NEt controls is supposed to be SQL Injection free, but this does not prevent all problems one developer can corner himself into. The best defense is a good understanding of SQL Injection and careful coding. When this is unattainable, for whatever reasons, there are tools that can help like Microsoft Code Analysis Tool .NET (CAT.NET). This is a free VS plug-in that can analyze the generated assemblies and detect SQL Injection, XSS and XPath injection risks. Such a tool is not bulletproof, but is much better than nothing.
部分地。有一个默认打开的过滤器,除非将其关闭,否则很难构建 SQL 注入攻击。
许多 ASPNET 应用程序用来访问 MSSQL 数据库的方法也使它们普遍能够抵抗 SQL 注入攻击。
但如果您足够粗心,仍然有可能创建易受攻击的应用程序。
Partially. There is a filter which is turned on by default which makes constructing an SQL injection attack difficult unless it's turned off.
The method which many ASPNET applications use to access MSSQL databases also makes them generally resistant to SQL injection attacks.
But it is still POSSIBLE to create a vulnerable application if you are careless enough.