使sql插入语句安全
我仍然是 SQL 领域的新手,所以我有一个关于我是否使用安全做法的问题。
我有一个用户表,其中有一列用于额外注释,该表应该能够包含人们可以输入的几乎所有内容。我正在通过执行
notes = notes.replace("'", "''");
“Then” 来处理(或者我认为我是)注释字段中的单引号,我将执行的查询如下所示:
String query = "INSERT into users (username, password, notes) VALUES('" + username + "' , '" + password + "' , '" + notes + "'";
除了密码未加密之外,我还可能缺少什么?我并不指望很多黑客会知道这个软件的存在,但话又说回来,没有人期望他们的代码被黑客攻击。
I'm a newbie in the realm of SQL still, so I have a question about whether I'm using a safe practice.
I have a user table with a column for extra notes, which should be able to contain pretty much anything a person can type in. I'm taking care of (or I think I am) the single quotes in the notes field by doing
notes = notes.replace("'", "''");
Then, the query I will execute is put together like this:
String query = "INSERT into users (username, password, notes) VALUES('" + username + "' , '" + password + "' , '" + notes + "'";
Aside from the password not being encrypted, what else might I be missing here? I'm not expecting that many hackers will even know of the existence of this software, but then again, nobody expects their code to be hacked.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
始终使用参数化查询。
使用 ASP.NET C#:
那么您无需担心单引号或 SQL 注入。
Always use parameterised queries.
Using ASP.NET C#:
Then you don't need to worry about single quotes, or SQL Injection.
Google 搜索“准备好的语句” - 一种使用用户输入执行查询的安全方法。
Google for "prepared statements" - a secure way to execute queries with users input.
抱歉,我还没有发表评论的特权,但我可以说的是利用存储过程,并使用面向对象的编码风格来使用参数。
您还可以查看此网站,因为它提供了大量有关提高安全性的信息(包括对抗 SQL 注入):https://www.owasp.org/index.php/Main_Page
Sorry, I have no privilege to comment just yet, but what I can say will help is to utilize stored procedures, and to use object-oriented style of coding to use parameters.
You can also check this site out as it provides a lot of info on improving your security (which includes the fight against SQL injection): https://www.owasp.org/index.php/Main_Page