VBScript / ASP Classic和ADO中的参数化

时间:2021-12-01 04:28:18

I'm a bit confused here. Microsoft as far as I can tell claims that parametrization is the best way to protect your database from SQL injection attacks. But I find two conflicting sources of information here:

我在这里有点困惑。微软据我所知,参数化是保护数据库免受SQL注入攻击的最佳方法。但我发现这里有两个相互矛盾的信息来源:

This page says to use the ADO command object. But this page says that the command object isn't safe for scripting. I seem to recall reading somewhere that the command object shouldn't be used in VBScript or JScript because of security vulnerabilities, but I can't seem to find that article.

该页面说使用ADO命令对象。但是这个页面说命令对象不适合编写脚本。我似乎记得在某处读到由于安全漏洞而不应在VBScript或JScript中使用命令对象,但我似乎无法找到那篇文章。

Am I missing something here, or do those two articles seem to contradict each other?

我在这里遗漏了什么,或者这两篇文章是否相互矛盾?

2 个解决方案

#1


4  

I could be wrong here, but I think this just means that someone could use the Command object to do bad things. I.e. it's not to be trusted if someone else is scripting it.

我可能在这里错了,但我认为这只意味着有人可以使用Command对象做坏事。即如果其他人正在编写脚本,那就不值得信任了。

See safe for scripting in this article. Every instance that talks about this phrase online, references it as if you are marking an ActiveX control saying "This control does no I/O or only talks back to the server that it came from" but the Command object doesn't do that. It can be used to do a lot of things which could be unsafe.

请参阅本文中的安全脚本。在线讨论这个短语的每个实例都引用它,就好像你在标记一个ActiveX控件上说“这个控件没有I / O或只回到它来自的服务器”但Command对象不这样做。它可以用来做很多可能不安全的事情。

The "safe" they are talking about and the "safe" to prevent from SQL injection are two different things. The article about using the ADO Command object to parametrize your data is spot on. You should do that.

他们所谈论的“安全”和防止SQL注入的“安全”是两回事。有关使用ADO Command对象参数化数据的文章是现场的。你应该这样做。

And, Microsoft further confirms this here:

而且,微软在此进一步证实了这一点:

http://msdn.microsoft.com/en-us/library/ms676585(v=VS.85).aspx

http://msdn.microsoft.com/en-us/library/ms676585(v=VS.85).aspx

#2


1  

I think "safe for scripting" means "safe to be run from a webpage we just retrieved from some Nigerian prince". The command object should be safe to run on the server.

我认为“安全的脚本”意味着“从我们刚从一些尼日利亚王子那里检索到的网页上安全运行”。命令对象应该可以安全地在服务器上运行。

At work though, back in the day my colleagues didn't trust it so we had an in-house framework that basically did the same thing.

但在工作中,当天我的同事们并不信任它,所以我们有一个基本上做同样事情的内部框架。

#1


4  

I could be wrong here, but I think this just means that someone could use the Command object to do bad things. I.e. it's not to be trusted if someone else is scripting it.

我可能在这里错了,但我认为这只意味着有人可以使用Command对象做坏事。即如果其他人正在编写脚本,那就不值得信任了。

See safe for scripting in this article. Every instance that talks about this phrase online, references it as if you are marking an ActiveX control saying "This control does no I/O or only talks back to the server that it came from" but the Command object doesn't do that. It can be used to do a lot of things which could be unsafe.

请参阅本文中的安全脚本。在线讨论这个短语的每个实例都引用它,就好像你在标记一个ActiveX控件上说“这个控件没有I / O或只回到它来自的服务器”但Command对象不这样做。它可以用来做很多可能不安全的事情。

The "safe" they are talking about and the "safe" to prevent from SQL injection are two different things. The article about using the ADO Command object to parametrize your data is spot on. You should do that.

他们所谈论的“安全”和防止SQL注入的“安全”是两回事。有关使用ADO Command对象参数化数据的文章是现场的。你应该这样做。

And, Microsoft further confirms this here:

而且,微软在此进一步证实了这一点:

http://msdn.microsoft.com/en-us/library/ms676585(v=VS.85).aspx

http://msdn.microsoft.com/en-us/library/ms676585(v=VS.85).aspx

#2


1  

I think "safe for scripting" means "safe to be run from a webpage we just retrieved from some Nigerian prince". The command object should be safe to run on the server.

我认为“安全的脚本”意味着“从我们刚从一些尼日利亚王子那里检索到的网页上安全运行”。命令对象应该可以安全地在服务器上运行。

At work though, back in the day my colleagues didn't trust it so we had an in-house framework that basically did the same thing.

但在工作中,当天我的同事们并不信任它,所以我们有一个基本上做同样事情的内部框架。