asp.net 能否防御 sql 注入攻击

发布于 2024-10-19 11:29:27 字数 49 浏览 5 评论 0原文

默认情况下,在使用 ASP 控件时,ASP.net 是否可以防止 SQL 注入攻击?

By default does ASP.net protect against SQL injection attacks when using ASP controls?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(7

穿越时光隧道 2024-10-26 11:29:27

不会。只要您提供 SQL,您就可以明智地使用这些控件。

这通常意味着清理输入并在动态 SQL 字符串上使用参数化查询或存储过程。

如果控件正在为您生成查询(如会员控件等),那么您就会受到很好的保护。

No. As long as you're supplying the SQL, it's up to you to be smart in how you use the controls.

That usually means sanitizing input and using Parameterized Queries or Stored Procedures over dynamic SQL strings.

If the control is generating the queries for you (like the Membership Controls, etc.) then you're well protected.

口干舌燥 2024-10-26 11:29:27

是和不是。

ADO.NET 对参数化有很好的支持,当你正确使用它时,参数值将被自动清理以防止 SQL 注入。因此,您可以向 SqlCommand(或 SqlDataSource 控件)添加参数,而不必太担心其中的内容。

好消息是参数化你的东西真的很容易。我将向您展示一个以编程方式执行此操作的 C# 示例,但是您也可以以声明方式执行此操作。如果您愿意,可以使用服务器控件。

坏消息是,就像其他事情一样,您仍然需要考虑自己在做什么。如果您想获得任何安全性,则来自不安全来源的任何字符串都必须参数化。如果将其逐字粘贴到查询中,您将绕过 ADO.NET 的安全功能。

安全:

string name = txtName.Text;
sqlCommand.CommandText = "select * from product where name = @name";
sqlCommand.Parameters.AddWithValue("name", name);

不安全:

string name = txtName.Text;
sqlCommand.CommandText = "select * from product where name = " + name;

如果 SQL 查询中的任何内容直接来自用户,则需要将其放入参数中,否则一切都将失败。就像几乎所有其他事情一样,如果您真的想的话,可能会搬起石头砸自己的脚。例如,您可以获取 SQL 代码,将其放入参数中,然后将其传递给 SQL <代码> EXEC语句。但你不会那样做,对吧,因为这是一个非常糟糕的主意。

仍然不安全(是的,我在生产代码中看到了这一点)!

string sql = "select * from product where name = " + txtName.Text;
sqlCommand.CommandText = "exec(@sql)";
sqlCommand.Parameters.AddWithValue("sql", sql);

TL;DR: ADO.NET 具有阻止 SQL 注入的强大功能,但前提是您使用它们正确。

Yes and no.

ADO.NET has very good support for parameterization, and when you use it properly, the parameter values will be automatically sanitized to prevent SQL injection. So you can add parameters to a SqlCommand (or a SqlDataSource control) without worrying too much about what's in them.

The good news is that parameterizing your stuff is really easy. I'll show you a C# example for doing it programmatically, but you can do it declaratively with server controls if you prefer.

The bad news is that just like anything else, you still need to think about what you're doing. Any string from an unsafe source must be parameterized if you want to have any security. If you paste it verbatim into the query, you'll have bypassed ADO.NET's security features.

Secure:

string name = txtName.Text;
sqlCommand.CommandText = "select * from product where name = @name";
sqlCommand.Parameters.AddWithValue("name", name);

Not secure:

string name = txtName.Text;
sqlCommand.CommandText = "select * from product where name = " + name;

If anything in your SQL query comes straight from the user, you need to put it in a parameter or all bets are off. And just like almost anything else, it's possible to shoot yourself in the foot if you really want to. For example, you could take SQL code, put it in a parameter, and pass it to a SQL EXEC statement. But you wouldn't do that, would you, because it is a Very Bad Idea.

Still not secure (yes, I saw this in production code)!

string sql = "select * from product where name = " + txtName.Text;
sqlCommand.CommandText = "exec(@sql)";
sqlCommand.Parameters.AddWithValue("sql", sql);

TL;DR: ADO.NET has great features to stop SQL injection, but only if you to use them correctly.

自控 2024-10-26 11:29:27

大多数 ASP.Net 控件(DataGrid 除外)根本不使用 SQL。

如果您的代码中有自己的 SQL(使用 SqlCommand),您不会获得任何免费的保护;你需要使用参数。

少数使用 SQL 的控件(SqlDataSource 和成员资格框架)确实使用参数并且可以安全地防止注入。

Most ASP.Net controls (except for DataGrid) do not use SQL at all.

If you have your own SQL in your code (using SqlCommands), you don't get any free protection; you need to use parameters.

The few controls that do use SQL (SqlDataSource and the membership framework) do use parameters and are safe against injection.

七颜 2024-10-26 11:29:27

ASP.NET 不能防止 SQL 注入!

ASP.NET 只是 Web 应用程序的框架,它并不规定您访问数据库的方式。这取决于您如何实现数据访问:

  • 如果您使用 ADO.NET,并将 SQL 查询构建为字符串,那么您必须清理所有用户输入以防止注入。
  • 如果您使用 ADO.NET 并使用 SqlParameters,那么我认为您可以安全地防止注入。
  • 如果您使用 ORM 工具进行数据访问,那么我会说您是安全的(至少在使用通用工具时)。
  • 如果您使用 DataSet,那么您可能也是安全的。
  • 如果您正在使用一些第 3 方数据绑定控件,那么我希望他们能够防止 SQL 注入

可能我在答案中忘记提及很多内容,但您可以看到答案是:“这取决于”

ASP.NET does not protect against SQL injections!

ASP.NET is just the framework for web applications and it does not dictate in what way you access your database. It depends on how you implement your data access:

  • If you are using ADO.NET, and are building your SQL queries as strings, then you have to sanitize any user-input to be safe from injections.
  • If you are using ADO.NET and use SqlParameters, then I think you are safe against injections.
  • If you are using an ORM tool for data access, then I'd say you are safe (at least when using the common ones)
  • If you are using DataSets, then you are probably safe as well.
  • If you are using some 3rd-party databound controls, then I hope they are taking care of protecting against SQL injections

Probably I forgot to mention a lot in my answer, but you can see that the answer is: "it depends"

带上头具痛哭 2024-10-26 11:29:27

如果您始终使用 SqlParameter,并且从不将用户输入连接到 SQL 中,那么您应该是安全的。您也可以使用 SqlParameter 而无需存储过程。

If you always use SqlParameters, and never concatenate user input into SQL, you should be safe. You can use SqlParameters without stored procedures too.

遗心遗梦遗幸福 2024-10-26 11:29:27

不,ASP.Net 不能防止 SQL 注入。 MS 为 ASP.NEt 控件提供的代码应该是免 SQL 注入的,但这并不能阻止开发人员可能陷入的所有问题。最好的防御是充分理解 SQL 注入并仔细编码。当由于某种原因无法实现这一点时,有一些工具可以提供帮助,例如 Microsoft 代码分析工具 .NET (CAT.NET)。这是一个免费的VS插件,可以分析生成的程序集并检测SQL注入、XSS和XPath注入风险。这样的工具并非万无一失,但总比没有好得多。

No, ASP.Net does not protect against SQL Injections. The MS shipped code for the ASP.NEt controls is supposed to be SQL Injection free, but this does not prevent all problems one developer can corner himself into. The best defense is a good understanding of SQL Injection and careful coding. When this is unattainable, for whatever reasons, there are tools that can help like Microsoft Code Analysis Tool .NET (CAT.NET). This is a free VS plug-in that can analyze the generated assemblies and detect SQL Injection, XSS and XPath injection risks. Such a tool is not bulletproof, but is much better than nothing.

温暖的光 2024-10-26 11:29:27

部分地。有一个默认打开的过滤器,除非将其关闭,否则很难构建 SQL 注入攻击。

许多 ASPNET 应用程序用来访问 MSSQL 数据库的方法也使它们普遍能够抵抗 SQL 注入攻击。

但如果您足够粗心,仍然有可能创建易受攻击的应用程序。

Partially. There is a filter which is turned on by default which makes constructing an SQL injection attack difficult unless it's turned off.

The method which many ASPNET applications use to access MSSQL databases also makes them generally resistant to SQL injection attacks.

But it is still POSSIBLE to create a vulnerable application if you are careless enough.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文