SQL注入问题
我有 HttpHandler 页面,我用它来做一些事情,包括使用 DB 。我需要能够阻止人们访问此文件,并确保信息的路径是我的网站,而不是使用 Processrequest 来实现此目的的另一个网页。
public void ProcessRequest (HttpContext context) {
if (context.Request.Url.Authority.ToString() != HttpContext.Current.Request.Url.Authority.ToString())
return;
context.Response.ContentType = "text/plain";
string str = context.Request.Form["recordsArray[]"].ToString();
char[] delimiters = new char[] { ',', ';' };
string[] arr = str.Split(delimiters);
for (int i = 0; i < arr.Length; i++)
{
Functions.Add(new tab(arr[i])); // insert records into table Tabs => int id, string name
}
}
I have HttpHandler page which I use to do some stuffs that includes the using of DB . I need to be able to prevent people from getting access to this file and to make sure that the info's path is my website and not another web page which using Processrequest to achieve this .
public void ProcessRequest (HttpContext context) {
if (context.Request.Url.Authority.ToString() != HttpContext.Current.Request.Url.Authority.ToString())
return;
context.Response.ContentType = "text/plain";
string str = context.Request.Form["recordsArray[]"].ToString();
char[] delimiters = new char[] { ',', ';' };
string[] arr = str.Split(delimiters);
for (int i = 0; i < arr.Length; i++)
{
Functions.Add(new tab(arr[i])); // insert records into table Tabs => int id, string name
}
}
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
如果您想阻止人们正常访问某些资源,您可以通过身份验证来保护该资源:您向授权用户授予用户名/密码,以便您将他们与未经授权的用户区分开来。
HTTP 请求可以被伪造并使其看起来完全就像来自您的域,但实际上并非如此。所以唯一的办法就是使用一些秘密。
If you want to prevent people having access to some resource normally you protect this resource with an authentication: you grant authorized users with username/password allowing you to distinguish them from unauthorized users.
An HTTP request can be forged and made to look exactly as if it was coming from your domain, while actually it doesn't. So the only way is to use some secret.
您还可以为您处理 SQL 注入。
Linq 到 sql:
或者对于更简单的东西,您可以只使用 SQL 参数(Linq to SQL 使用的是什么):(
简短指南):http://www.sharpdeveloper.net/content /archive/2007/05/25/creating-sqlparameters-best-practices.aspx
或这里
http://msdn.microsoft.com/en-us /library/system.data.sqlclient.sqlparameter.aspx
我知道这不是专门适合您的解决方案,但我希望有所帮助。
You could also something that handles SQL injection for you.
Linq to sql: http://weblogs.asp.net/scottgu/archive/2007/09/07/linq-to-sql-part-9-using-a-custom-linq-expression-with-the-lt-asp-linqdatasource-gt-control.aspx
or for something a bit simpler, you could just use SQL parameters (with is what Linq to SQL uses):
(a short guide): http://www.sharpdeveloper.net/content/archive/2007/05/25/creating-sqlparameters-best-practices.aspx
or here
http://msdn.microsoft.com/en-us/library/system.data.sqlclient.sqlparameter.aspx
I know this isn't a specifically a solution for you, but I hope that helps.