当我使用以下 SqlDataAdapter 时,我是否需要担心插入/更新/删除/注入攻击?
当我使用以下代码时,我是否需要采取任何措施来防止插入/更新/删除/注入攻击?
public static DataSet getReportDataSet(string sqlSelectStatement)
{
SqlDataAdapter da = new SqlDataAdapter(sqlSelectStatement, new SqlConnection(GlobalVars.ConnectionString));
DataSet reportData = new DataSet();
da.Fill(reportData, "reportData");
return reportData;
}
这背后的想法是,我将从一系列 Crystal Reports 中提取 sql,从 MS SQL Server 中提取每个报告的数据,将数据绑定到报告,然后将填充的报告导出为 PDF。
我知道您可以使用内置功能让报告提取自己的数据,但我的测试表明,将数据推送到报告要快得多。我唯一的问题是我无法控制将要运行的报告。
人们将被要求提供自己的 SQL Server 登录凭据,因此他们只能查看他们有权访问的数据库中的数据...但某些用户具有写入权限,我担心盲目运行从 Crystal Report 中提取的 sql 字符串可能会导致插入/更新/删除/注入攻击...
我认为我可能没有任何担心,但我找不到任何直接说明这是否可能的内容用于选择之外的事物。
编辑:
因此,从最初的评论来看,我认为除了 SELECT 之外,我还必须担心 SQL 语句。所以我的问题现在变成了;是否有一些规定 SqlConnection 只能用于“读取”(即选择)。
Do I need to do anything in order to prevent inserts/updates/deletes/injection attacks when I'm using the following code?
public static DataSet getReportDataSet(string sqlSelectStatement)
{
SqlDataAdapter da = new SqlDataAdapter(sqlSelectStatement, new SqlConnection(GlobalVars.ConnectionString));
DataSet reportData = new DataSet();
da.Fill(reportData, "reportData");
return reportData;
}
The idea behind this is that I'll be extracting the sql from a series of Crystal Reports, pulling the data for each report from the MS SQL Server, binding the data to the reports and then exporting the filled reports to PDF.
I know that you can use the built in functionality to get the reports to pull their own data, but my tests have shown that pushing the data to the reports is a whole bunch faster. My only issue with this is that I have no control over the reports that will be ran.
People will be required to provide their own login credentials for the SQL Server, so they will only be able to see data from the databases that they have permissions to... but some of the users have write permissions, and I'm worried that blindly running an sql string pulled from a Crystal Report could potentially allow for an insert/update/delete/injection attack...
I think that I might be worrying for nothing, but I can't find anything that outright states if this could be used for things aside from selects.
Edit:
So from the initial comments, I think that I do have to worry about SQL statements aside from SELECTs. So my question now becomes; is there some whay to specify that an SqlConnection can only be used for 'reads' (i.e. Selects).
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
问题不在于适配器。问题是,如何将参数传递给 sql 命令。你不应该不做类似的事情
而是使用参数:
The problem is not the adapter. The problem is, how you pass parameters to your sql command. You should not do things like
Instead use parameters:
一般来说,我会说:是的,你必须这样做。
但也许 Crystal Reports 已经引用了 SQL 字符串。自己尝试一下“攻击”,看看
sqlSelectStatement
包含什么内容。In general I would say: Yes, you have to.
But maybe Crystal Reports quotes the SQL-String already. Try an "attack" by yourself and see what
sqlSelectStatement
contains.