将数据形成数据库：防止SQL注入

发布于 2024-12-25 06:00:36 字数 1426 浏览 2 评论 0原文

最近有人提到，我们通过表单提交将数据插入 SQL 数据库的方法会受到 SQL 注入攻击，因此需要一些建议来加强我们的安全性。

下面是将表单数据插入数据库的代码：

        <cfquery name="InsRegistrant" datasource="#application.Datasource#" dbtype="odbc">

            INSERT INTO Schedule_Registrations(
                schedule_id,
                first_name,
                last_name,
                phone_number,
                email,
                guest,
                list_type,
                datetime_registered
             )
            VALUES(
                #url.schedule_id#,
                '#FORM.first_name#',
                '#FORM.last_name#',
                '#CleanPhoneNumber#',
                '#FORM.email#',
                 #attendee.guest#,
                 <!--- Values for list types 
                    0 = NEVER USE Will cause many many problems
                    1 = Main List
                    2 = Waiting List --->                    
                 #attendee.list_type#,
                 #createodbcdatetime(now())#
             )                
        </cfquery>

CleanPhoneNumber 是这样设置的：

<cfset CleanPhoneNumber = REReplace(form.phone_number, "[^0-9]", "", "ALL") />

例如，我被告知要使用，

<cfqueryparam cfsqltype="cf_sql_varchar" value="#form.phone_number#" />

但我不确定要替换什么以及在哪里替换。当我用这样的值替换这些值时，我收到错误。

任何方向都会有帮助..

原文

It has recently been mentioned to be that our method of inserting data into our SQL database via form submission is subject to SQL injection attacks, and want some advice to harden our security.

Here's the code that inserts form data into the DB:

        <cfquery name="InsRegistrant" datasource="#application.Datasource#" dbtype="odbc">

            INSERT INTO Schedule_Registrations(
                schedule_id,
                first_name,
                last_name,
                phone_number,
                email,
                guest,
                list_type,
                datetime_registered
             )
            VALUES(
                #url.schedule_id#,
                '#FORM.first_name#',
                '#FORM.last_name#',
                '#CleanPhoneNumber#',
                '#FORM.email#',
                 #attendee.guest#,
                 <!--- Values for list types 
                    0 = NEVER USE Will cause many many problems
                    1 = Main List
                    2 = Waiting List --->                    
                 #attendee.list_type#,
                 #createodbcdatetime(now())#
             )                
        </cfquery>

CleanPhoneNumber is set this way:

<cfset CleanPhoneNumber = REReplace(form.phone_number, "[^0-9]", "", "ALL") />

I've been told to use, for instance,

<cfqueryparam cfsqltype="cf_sql_varchar" value="#form.phone_number#" />

but I'm not sure what to replace and where. When I replace the values with such I get an error.

Any direction would be helpful..

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

恋竹姑娘 2025-01-01 06:00:36

您应该将所有表单和 url 变量包装在 cfqueryparam 中。

您的查询将如下所示：

<cfquery name="InsRegistrant" datasource="#application.Datasource#" dbtype="odbc">
    INSERT INTO Schedule_Registrations(
         schedule_id,
         first_name,
         last_name,
         phone_number,
         email,
         guest,
         list_type,
         datetime_registered
     )
     VALUES(
         <cfqueryparam cfsqltype="cf_sql_integer" value="#url.schedule_id#">,
         <cfqueryparam cfsqltype="cf_sql_varchar" value="#FORM.first_name#">,
         <cfqueryparam cfsqltype="cf_sql_varchar" value="#FORM.last_name#">,
         <cfqueryparam cfsqltype="cf_sql_varchar" value="#CleanPhoneNumber#">,
         <cfqueryparam cfsqltype="cf_sql_varchar" value="#FORM.email#">,
         <cfqueryparam cfsqltype="cf_sql_integer" value="#attendee.guest#">,
         <!--- Values for list types 
            0 = NEVER USE Will cause many many problems
            1 = Main List
            2 = Waiting List --->                    
         <cfqueryparam cfsqltype="cf_sql_integer" value="#attendee.list_type#">,
         #createodbcdatetime(now())#
     )                
</cfquery>

我不确定所有数据类型是否正确，请参阅所有数据类型的 cfqueryparam 的完整文档。

You should wrap all form and url variables in cfqueryparam

Your query would look like this:

<cfquery name="InsRegistrant" datasource="#application.Datasource#" dbtype="odbc">
    INSERT INTO Schedule_Registrations(
         schedule_id,
         first_name,
         last_name,
         phone_number,
         email,
         guest,
         list_type,
         datetime_registered
     )
     VALUES(
         <cfqueryparam cfsqltype="cf_sql_integer" value="#url.schedule_id#">,
         <cfqueryparam cfsqltype="cf_sql_varchar" value="#FORM.first_name#">,
         <cfqueryparam cfsqltype="cf_sql_varchar" value="#FORM.last_name#">,
         <cfqueryparam cfsqltype="cf_sql_varchar" value="#CleanPhoneNumber#">,
         <cfqueryparam cfsqltype="cf_sql_varchar" value="#FORM.email#">,
         <cfqueryparam cfsqltype="cf_sql_integer" value="#attendee.guest#">,
         <!--- Values for list types 
            0 = NEVER USE Will cause many many problems
            1 = Main List
            2 = Waiting List --->                    
         <cfqueryparam cfsqltype="cf_sql_integer" value="#attendee.list_type#">,
         #createodbcdatetime(now())#
     )                
</cfquery>

I'm not sure I got all the data types correct, see the full documentation of cfqueryparam for all the data types.

回复收藏 0 原文