当我使用以下 SqlDataAdapter 时,我是否需要担心插入/更新/删除/注入攻击?

发布于 2024-12-15 15:30:21 字数 839 浏览 0 评论 0原文

当我使用以下代码时,我是否需要采取任何措施来防止插入/更新/删除/注入攻击?

public static DataSet getReportDataSet(string sqlSelectStatement)
{
    SqlDataAdapter da = new SqlDataAdapter(sqlSelectStatement, new SqlConnection(GlobalVars.ConnectionString));
    DataSet reportData = new DataSet();
    da.Fill(reportData, "reportData");
    return reportData;
}

这背后的想法是,我将从一系列 Crystal Reports 中提取 sql,从 MS SQL Server 中提取每个报告的数据,将数据绑定到报告,然后将填充的报告导出为 PDF。

我知道您可以使用内置功能让报告提取自己的数据,但我的测试表明,将数据推送到报告要快得多。我唯一的问题是我无法控制将要运行的报告。

人们将被要求提供自己的 SQL Server 登录凭据,因此他们只能查看他们有权访问的数据库中的数据...但某些用户具有写入权限,我担心盲目运行从 Crystal Report 中提取的 sql 字符串可能会导致插入/更新/删除/注入攻击...

我认为我可能没有任何担心,但我找不到任何直接说明这是否可能的内容用于选择之外的事物。

编辑:

因此,从最初的评论来看,我认为除了 SELECT 之外,我还必须担心 SQL 语句。所以我的问题现在变成了;是否有一些规定 SqlConnection 只能用于“读取”(即选择)。

Do I need to do anything in order to prevent inserts/updates/deletes/injection attacks when I'm using the following code?

public static DataSet getReportDataSet(string sqlSelectStatement)
{
    SqlDataAdapter da = new SqlDataAdapter(sqlSelectStatement, new SqlConnection(GlobalVars.ConnectionString));
    DataSet reportData = new DataSet();
    da.Fill(reportData, "reportData");
    return reportData;
}

The idea behind this is that I'll be extracting the sql from a series of Crystal Reports, pulling the data for each report from the MS SQL Server, binding the data to the reports and then exporting the filled reports to PDF.

I know that you can use the built in functionality to get the reports to pull their own data, but my tests have shown that pushing the data to the reports is a whole bunch faster. My only issue with this is that I have no control over the reports that will be ran.

People will be required to provide their own login credentials for the SQL Server, so they will only be able to see data from the databases that they have permissions to... but some of the users have write permissions, and I'm worried that blindly running an sql string pulled from a Crystal Report could potentially allow for an insert/update/delete/injection attack...

I think that I might be worrying for nothing, but I can't find anything that outright states if this could be used for things aside from selects.

Edit:

So from the initial comments, I think that I do have to worry about SQL statements aside from SELECTs. So my question now becomes; is there some whay to specify that an SqlConnection can only be used for 'reads' (i.e. Selects).

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

爱,才寂寞 2024-12-22 15:30:21

问题不在于适配器。问题是,如何将参数传递给 sql 命令。你不应该做类似的事情

string sql = "SELECT * FROM t WHERE name='" + name +"'";

而是使用参数:

SqlCommand cmd = new SqlCommand(SELECT * FROM t WHERE name = @name", conn);
SqlParameter param  = new SqlParameter();
param.ParameterName = "@name";
param.Value = "John Doe";
cmd.Parameters.Add(param);

The problem is not the adapter. The problem is, how you pass parameters to your sql command. You should not do things like

string sql = "SELECT * FROM t WHERE name='" + name +"'";

Instead use parameters:

SqlCommand cmd = new SqlCommand(SELECT * FROM t WHERE name = @name", conn);
SqlParameter param  = new SqlParameter();
param.ParameterName = "@name";
param.Value = "John Doe";
cmd.Parameters.Add(param);
余生再见 2024-12-22 15:30:21

一般来说,我会说:是的,你必须这样做。

但也许 Crystal Reports 已经引用了 SQL 字符串。自己尝试一下“攻击”,看看sqlSelectStatement 包含什么内容。

In general I would say: Yes, you have to.

But maybe Crystal Reports quotes the SQL-String already. Try an "attack" by yourself and see what sqlSelectStatement contains.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文