如何在不使用 cfqueryparam 的情况下对 varchar 进行编码/转义以更安全?
如何在不使用 cfqueryparam 的情况下对 varchar 进行编码/转义以更安全?我想实现相同的行为,而不使用
更新:
- I想要验证/安全部分,而不生成准备好的语句。
- 我可以对
- 类似于
mysql_real_escape_string()或许?
How I can encode/escape a varchar to be more secure without using cfqueryparam? I want to implement the same behaviour without using <cfqueryparam> to get around "Too many parameters were provided in this RPC request. The maximum is 2100" problem. See: http://www.bennadel.com/blog/1112-Incoming-Tabular-Data-Stream-Remote-Procedure-Call-Is-Incorrect.htm
Update:
- I want the validation / security part, without generating a prepared-statement.
- What's the strongest encode/escape I can do to a varchar inside
<cfquery>? - Something similar to
mysql_real_escape_string()maybe?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(6)
正如其他人所说,与长度相关的错误源于更深层次,而不是在 queryparam 标记内。它提供了一些有价值的保护,因此存在是有原因的。
您始终可以将这些值插入到临时表中并与该临时表连接,或者使用列表函数将该庞大列表拆分为几个较小的列表,然后单独使用这些列表。
As others have said, that length-related error originates at a deeper level, not within the queryparam tag. And it offers some valuable protection and therefore exists for a reason.
You could always either insert those values into a temporary table and join against that one or use the list functions to split that huge list into several smaller lists which are then used separately.
cfqueryparam 执行多种功能。
它验证数据类型。如果你说整数,它确保存在一个整数,如果没有,它不允许它通过
它将 SQL 脚本的数据与可执行代码分开(这是你获得 SQL 注入保护的地方) 。作为参数传递的任何内容都无法执行。
它在数据库引擎级别创建绑定变量以帮助提高性能。
这就是我理解 cfqueryparam 工作的方式。您是否考虑过进行多次小呼叫与一次大呼叫的选择?
cfqueryparam performs multiple functions.
It verifies the datatype. If you say integer, it makes sure there is an integrer, and if not, it does nto allow it to pass
It separates the data of a SQL script from the executable code (this is where you get protection from SQL injection). Anything passed as a param cannot be executed.
It creates bind variables at the DB engine level to help improve performance.
That is how I understand cfqueryparam to work. Did you look into the option of making several small calls vs one large one?
这是一个安全问题。停止 SQL 注入
Adobe 建议您在每个 cfquery 标记中使用 cfqueryparam 标记,以帮助保护您的数据库免受未经授权的用户的攻击。有关详细信息,请参阅安全公告 ASB99-04“动态查询中的多个 SQL 语句”(网址为 www.adobe.com/devnet/security/security_zone/asb99-04.html)以及 ColdFusion 开发人员指南中的“访问和检索数据”指导。
It is a security issue. Stops SQL injections
Adobe recommends that you use the cfqueryparam tag within every cfquery tag, to help secure your databases from unauthorized users. For more information, see Security Bulletin ASB99-04, "Multiple SQL Statements in Dynamic Queries," at www.adobe.com/devnet/security/security_zone/asb99-04.html, and "Accessing and Retrieving Data" in the ColdFusion Developer's Guide.
我问自己的第一件事是“我到底是怎么在一个查询中得到超过 2100 个参数的?”。因为这本身对你来说应该是一个非常非常大的危险信号。
但是,如果您坚持这一点(要么是因为它超出了您的控制范围,要么超出了您解决问题的动力水平;-),那么我会考虑:
*
这有点严峻,但是您的整个查询听起来又很严峻,所以这可能不是一个问题。
参数值超过一定长度或其中包含停用词或其他内容。这也是一个相当严峻的建议。
认真回顾一下您的要求,看看是否有办法不需要 2100+ 参数。你实际上需要做什么,需要这一切???
The first thing I'd be asking myself is "how the heck did I end up with more than 2100 params in a single query?". Because that in itself should be a very very big red flag to you.
However if you're stuck with that (either due to it being outwith your control, or outwith your motivation levels to address ;-), then I'd consider:
*
That's a bit grim, but then again your entire query sounds grim, so that might not be such a concern.
param values that are over a certain length or have stop words in them or something. This is also quite a grim suggestion.
SERIOUSLY go back over your requirement and see if there's a way to not need 2100+ params. What is it you're actually needing to do that requires all this???
问题不在于 cfqueryparam,而在于 MsSQL 本身:
每个 SQL 批处理都必须符合批处理大小限制:65,536 * 网络数据包大小。
最大大小SQL Server 查询? IN 子句?有没有更好的方法
和
http://msdn.microsoft. com/en-us/library/ms143432.aspx
The problem does not reside with cfqueryparam, but with MsSQL itself :
Every SQL batch has to fit in the Batch Size Limit: 65,536 * Network Packet Size.
Maximum size for a SQL Server Query? IN clause? Is there a Better Approach
And
http://msdn.microsoft.com/en-us/library/ms143432.aspx
有几次我遇到这个问题,我已经能够使用子选择和/或表连接重写查询。我建议尝试像这样重写查询以避免参数 max。
如果无法重写(例如,所有多个参数都来自外部源),您将需要自己验证数据。我使用了以下正则表达式来执行安全验证:
如果在文本字符串中发现除逗号、下划线或句点之外的任何特殊字符,则代码将强制出错。 (您可能希望更干净地处理这种情况,而不仅仅是抛出错误。)我建议您根据正在验证的字段中的预期或允许的值进行必要的修改。如果您要验证逗号分隔的整数字符串,您可以改用限制性更强的正则表达式,例如
"[^0-9\ \,]",它只允许数字、逗号和空格。这个答案不会逃避角色,它首先不会允许他们。它应该用于您不会与
The few times that I have come across this problem I have been able to rewrite the query using subselects and/or table joins. I suggest trying to rewrite the query like this in order to avoid the parameter max.
If it is impossible to rewrite (e.g. all of the multiple parameters are coming from an external source) you will need to validate the data yourself. I have used the following regex in order to perform a safe validation:
The code will force an error if any special character other than a comma, underscore, or period is found in a text string. (You may want to handle the situation cleaner than just throwing an error.) I suggest you modify this as necessary based on the expected or allowed values in the fields you are validating. If you are validating a string of comma separated integers you may switch to use a more limiting regex like
"[^0-9\ \,]"which will only allow numbers, commas, and spaces.This answer will not escape the characters, it will not allow them in the first place. It should be used on any data that you will not use with
<cfqueryparam>. Personally, I have only found a need for this when I use a dynamic sort field; not all databases will allow you to use bind variables with theORDER BYclause.