防御T-SQL注入[重复]

时间:2022-05-19 11:50:15

This question already has an answer here:

这个问题在这里已有答案:

Apologies if this seems a daft question but how does using parameters defends against SQL injection and what are the best practices in relation to T-SQL:

抱歉,如果这似乎是一个愚蠢的问题但是如何使用参数防止SQL注入以及与T-SQL相关的最佳实践:

For example: Is this best practice?

例如:这是最佳做法吗?

SqlCommand SqlCmd = new SqlCommand("SQL Command @X ....... @Y");
SqlCmd.CommandType = CommandType.Text;
SqlCmd.Parameters.AddWithValue("@X", SqlDbType.VarChar).Value = X;
SqlCmd.Parameters.AddWithValue("@Y", SqlDbType.date).Value = Y;
SqlCmd.Connection = ConnectionString;

2 个解决方案

#1


1  

The best practice is to use SQL Parameters. Using the SqlParameterCollection (as in your example: SqlCmd.Parameters) automatically provides you with:

最佳实践是使用SQL参数。使用SqlParameterCollection(如示例中所示:SqlCmd.Parameters)自动为您提供:

  1. Type checking
  2. Length validation
  3. Input is treated as a literal value rather than as executable code
  4. 输入被视为文字值而不是可执行代码

  5. Handling of special characters normally involved in SQL injection attacks
  6. 处理通常涉及SQL注入攻击的特殊字符

There are some additional best practices, including:

还有一些其他最佳实践,包括:

  • Constrain and sanitize input data
  • 约束和清理输入数据

  • Use an account that has restricted permissions in the database
  • 使用在数据库中具有受限权限的帐户

  • Avoid disclosing database error information
  • 避免泄露数据库错误信息

You'll find those best practices further described at this OWASP SQL Injection Prevention Cheat Sheet.

您将在本OWASP SQL注入预防备忘单中找到进一步描述的最佳实践。

#2


2  

Yes, this code is safe from SQL injection.

是的,这段代码可以安全地从SQL注入。

The reason is that when working with parameters your passing the items as a value to your server and they will be interpreted as such.

原因是当使用参数时,将项目作为值传递给服务器,它们将被解释为这样。

If you would construct a string, SQL cannot know what the value is and what the query is and has to rely purely on syntax.

如果要构造一个字符串,SQL无法知道该值是什么以及查询是什么,并且必须完全依赖于语法。

#1


1  

The best practice is to use SQL Parameters. Using the SqlParameterCollection (as in your example: SqlCmd.Parameters) automatically provides you with:

最佳实践是使用SQL参数。使用SqlParameterCollection(如示例中所示:SqlCmd.Parameters)自动为您提供:

  1. Type checking
  2. Length validation
  3. Input is treated as a literal value rather than as executable code
  4. 输入被视为文字值而不是可执行代码

  5. Handling of special characters normally involved in SQL injection attacks
  6. 处理通常涉及SQL注入攻击的特殊字符

There are some additional best practices, including:

还有一些其他最佳实践,包括:

  • Constrain and sanitize input data
  • 约束和清理输入数据

  • Use an account that has restricted permissions in the database
  • 使用在数据库中具有受限权限的帐户

  • Avoid disclosing database error information
  • 避免泄露数据库错误信息

You'll find those best practices further described at this OWASP SQL Injection Prevention Cheat Sheet.

您将在本OWASP SQL注入预防备忘单中找到进一步描述的最佳实践。

#2


2  

Yes, this code is safe from SQL injection.

是的,这段代码可以安全地从SQL注入。

The reason is that when working with parameters your passing the items as a value to your server and they will be interpreted as such.

原因是当使用参数时,将项目作为值传递给服务器,它们将被解释为这样。

If you would construct a string, SQL cannot know what the value is and what the query is and has to rely purely on syntax.

如果要构造一个字符串,SQL无法知道该值是什么以及查询是什么,并且必须完全依赖于语法。