如何在我的ASP中避免SQL注入攻击。网络应用程序?

时间:2021-03-15 08:40:27

I need to avoid being vulnerable to SQL injection in my ASP.NET application. How might I accomplish this?

我需要避免在ASP中容易受到SQL注入的影响。网络应用程序。我该怎么做呢?

16 个解决方案

#1


20  

Even though your question is very generic, a few rules always apply:

尽管你的问题很笼统,但总有一些规则适用:

  • Use parameterized queries (SqlCommand with SqlParameter) and put user input into parameters.
  • 使用参数化查询(SqlCommand with SqlParameter)并将用户输入放入参数中。
  • Don't build SQL strings out of unchecked user input.
  • 不要使用未检查的用户输入构建SQL字符串。
  • Don't assume you can build a sanitizing routine that can check user input for every kind of malformedness. Edge cases are easily forgotten. Checking numeric input may be simple enough to get you on the safe side, but for string input just use parameters.
  • 不要假设您可以构建一个可以检查用户输入的各种格式错误的消毒例程。边缘案例很容易被遗忘。检查数字输入可能很简单,可以让您安全,但是对于字符串输入,只需使用参数。
  • Check for second-level vulnerabilites - don't build SQL query strings out of SQL table values if these values consist of user input.
  • 检查二级漏洞——如果SQL表值包含用户输入,不要用SQL表值构建SQL查询字符串。
  • Use stored procedures to encapsulate database operations.
  • 使用存储过程来封装数据库操作。

#2


16  

Use Prepared Statements (link to an ASP.NET tutorial that uses prepared statements in the 'To add nodes for products' section). that's all there is to it.

使用准备好的语句(链接到ASP。NET教程,使用“为产品添加节点”部分中的准备语句)。这就是全部。

Well, that or use an ORM, like Linq to SQL or NHibernate, they internally use prepared statements.

或者使用ORM,比如Linq to SQL或NHibernate,它们在内部使用准备好的语句。

#3


10  

Use parameters! It really is that simple :-)

使用参数!这真的很简单:-)

Create your queries like this (for MS Sql server with C#):

创建这样的查询(对于c#的MS Sql server):

SqlCommand getPersons = new SqlCommand("SELECT * FROM Table WHERE Name = @Name", conn); 

Here @Name is the parameter where you want to avoid sql injection and conn is an SqlConnection object. Then to add the parameter value you do the following:

这里的@Name是要避免sql注入的参数,而conn是SqlConnection对象。然后添加以下参数值:

getPersons.Parameters.AddWithValue("@Name", theName);

Here theName is a variable that contains the name you are searching for.

在这里,ame是一个变量,它包含您要搜索的名称。

Now it should be impossible to do any sql injections on that query.

现在应该不可能对该查询执行任何sql注入。

Since it is this simple there is no reason not to use parameters.

因为它很简单,所以没有理由不使用参数。

#4


10  

Never trust user input - Validate all textbox entries using validation controls, regular expressions, code, and so on

不要信任用户输入——使用验证控件、正则表达式、代码等来验证所有文本框条目

Never use dynamic SQL - Use parameterized SQL or stored procedures

不要使用动态SQL——使用参数化的SQL或存储过程

Never connect to a database using an admin-level account - Use a limited access account to connect to the database

不要使用管理员级别的帐户连接到数据库——使用一个有限的访问帐户连接到数据库。

Don't store secrets in plain text - Encrypt or hash passwords and other sensitive data; you should also encrypt connection strings

不要将秘密存储在纯文本中——加密或哈希密码和其他敏感数据;您还应该加密连接字符串

Exceptions should divulge minimal information - Don't reveal too much information in error messages; use customErrors to display minimal information in the event of unhandled error; set debug to false

异常应该透露最少的信息——不要在错误消息中透露太多信息;使用customErrors在发生未处理错误时显示最小信息;设置调试错误

Useful link on MSDN Stop SQL Injection

MSDN停止SQL注入的有用链接

#5


4  

SQL injection occurs because the query to the database is being constructed in real time, for example:

之所以会出现SQL注入,是因为正在实时构造对数据库的查询,例如:

SELECT * From Table1 WHERE " + UserInput

UserInput may be malicious and contain other statements that you do not intend.

UserInput可能是恶意的,并且包含您不想要的其他语句。

To avoid it, you need to avoid concatenating your query together.

为了避免这种情况,您需要避免将查询连接在一起。

You can accomplish this by using parametrized queries - check out the DBCommand object for your particular DB flavor.

您可以通过使用参数化查询来完成这一任务——检查DBCommand对象是否具有特定的DB风格。

#6


3  

Use parametrized queries and/or stored procedures and parse your parameters via SQL parameters. Never generate SQL code by concatenating strings. Also do some reading about SQL injection and about writing secure code, because preventing SQL injection is only a small part of security. There is many more (like XSS - Cross Site Scripting). If a hacker wants to compromise your site/application he will look for more then only SQL injection.

使用参数化查询和/或存储过程,并通过SQL参数解析参数。永远不要通过连接字符串来生成SQL代码。还要阅读一些关于SQL注入和编写安全代码的内容,因为防止SQL注入只是安全的一小部分。还有更多(比如XSS -跨站点脚本)。如果黑客想要破坏您的站点/应用程序,他会寻找更多的SQL注入。

#7


3  

Scott Guthrie posted a decent little article about this a while back. In it, he offers 5 suggestions for protecting yourself:

斯科特·格思里(Scott Guthrie)不久前发表了一篇关于这方面的文章。在这篇文章中,他提出了5条保护自己的建议:

  1. Don't construct dynamic SQL Statements without using a type-safe parameter encoding mechanism. [...]

    不要在不使用类型安全参数编码机制的情况下构造动态SQL语句。[…]

  2. Always conduct a security review of your application before ever put it in production, and establish a formal security process to review all code anytime you make updates. [...]

    在将应用程序投入生产环境之前,始终对其进行安全检查,并建立一个正式的安全流程,以便在进行更新时检查所有代码。[…]

  3. Never store sensitive data in clear-text within a database. [...]

    不要在数据库中以明文形式存储敏感数据。[…]

  4. Ensure you write automation unit tests that specifically verify your data access layer and application against SQL Injection attacks. [...]

    确保编写自动化单元测试,具体验证数据访问层和应用程序是否受到SQL注入攻击。[…]

  5. Lock down your database to only grant the web application accessing it the minimal set of permissions that it needs to function. [...]

    锁定数据库,只授予访问它的web应用程序所需的最小权限集。[…]

He does a decent job of explaining why these are important, and links to several other resources as well...

他很好地解释了为什么这些是重要的,并链接到其他一些资源……

#8


2  

NEVER trust user input, always validate it, and use sql parameters. Should be enough basis to prevent SQL injection.

永远不要信任用户输入,始终验证它,并使用sql参数。应该有足够的基础防止SQL注入。

#9


1  

Hopefully, this will help:

希望这将有助于:

http://www.codersbarn.com/post/2008/11/01/ASPNET-Data-Input-Validation.aspx

http://www.codersbarn.com/post/2008/11/01/ASPNET-Data-Input-Validation.aspx

The short answer is to use parameterized queries.

简短的回答是使用参数化查询。

Anthony :-) www.codersbarn.com

安东尼:-)www.codersbarn.com

#10


1  

Always use only parameterized queries.

总是只使用参数化查询。

#11


0  

The book, "Building Secure ASP.NET Applications" guideline has a section on this topic.

《构建安全ASP》一书。NET Applications“指南有一个关于这个主题的部分。

#12


0  

As others have said, don't concatenate user input to create dynamic sql statements; always use parameterized SQL when using dynamic SQL. However I will point out that this rule also applies when creating dynamic sql inside of a stored proc. This fact is something people often overlook. They think they are safe because they are "using stored procedures."

正如其他人所说,不要连接用户输入来创建动态sql语句;使用动态SQL时总是使用参数化SQL。但是我要指出的是,当在存储的proc中创建动态sql时,这条规则也适用。他们认为自己是安全的,因为他们正在“使用存储过程”。

#13


0  

Use XSS Secured UrlEncode using Microsoft.Security.Application.AntiXss.UrlEncode and SQL injection will not work. Or You can use ASP.NET – JSON – Serialization and Deserialization

使用XSS安全UrlEncode使用microsoft.security.applic.antixss。UrlEncode和SQL注入不能工作。或者你也可以使用ASP。NET - JSON -序列化和反序列化

Also test your application with SiteDigger from Macfee Fre Tool.

还可以通过Macfee Fre工具对您的应用程序进行测试。

Few More are from here

这里的人很少

.NET Security Toolkit v1.0 .NETMon v1.0 Validator.NET v1.0

net Security Toolkit v1.0 . netmon v1.0验证器。净v1.0

#14


0  

Everyone says "Use parameters". We'd have to say it less if it wasn't so perversely difficult.

大家都说“使用参数”。如果不是那么困难的话,我们就不必多说了。

Use QueryFirst. The temptation to concatenate is removed, and the right way becomes the easiest way. You create a parameter just by typing @myParam in your SQL, the tool does the rest.

使用QueryFirst。连接的诱惑被移除,正确的方式成为最简单的方式。只需在SQL中输入@myParam,就可以创建一个参数,其余的都由该工具完成。

disclaimer: I wrote QueryFirst

免责声明:我QueryFirst写道

#15


-3  

Understand what exactly SQL Injection is and then never write anything that is vulnerable to it.

理解SQL注入到底是什么,然后永远不要写任何容易受到攻击的东西。

#16


-4  

Try to use Stored Procedures, and validate the input on your data. Do not use any direct SQL like INSERT INTO ...

尝试使用存储过程,并验证数据上的输入。不要使用任何直接的SQL,比如INSERT INTO…

#1


20  

Even though your question is very generic, a few rules always apply:

尽管你的问题很笼统,但总有一些规则适用:

  • Use parameterized queries (SqlCommand with SqlParameter) and put user input into parameters.
  • 使用参数化查询(SqlCommand with SqlParameter)并将用户输入放入参数中。
  • Don't build SQL strings out of unchecked user input.
  • 不要使用未检查的用户输入构建SQL字符串。
  • Don't assume you can build a sanitizing routine that can check user input for every kind of malformedness. Edge cases are easily forgotten. Checking numeric input may be simple enough to get you on the safe side, but for string input just use parameters.
  • 不要假设您可以构建一个可以检查用户输入的各种格式错误的消毒例程。边缘案例很容易被遗忘。检查数字输入可能很简单,可以让您安全,但是对于字符串输入,只需使用参数。
  • Check for second-level vulnerabilites - don't build SQL query strings out of SQL table values if these values consist of user input.
  • 检查二级漏洞——如果SQL表值包含用户输入,不要用SQL表值构建SQL查询字符串。
  • Use stored procedures to encapsulate database operations.
  • 使用存储过程来封装数据库操作。

#2


16  

Use Prepared Statements (link to an ASP.NET tutorial that uses prepared statements in the 'To add nodes for products' section). that's all there is to it.

使用准备好的语句(链接到ASP。NET教程,使用“为产品添加节点”部分中的准备语句)。这就是全部。

Well, that or use an ORM, like Linq to SQL or NHibernate, they internally use prepared statements.

或者使用ORM,比如Linq to SQL或NHibernate,它们在内部使用准备好的语句。

#3


10  

Use parameters! It really is that simple :-)

使用参数!这真的很简单:-)

Create your queries like this (for MS Sql server with C#):

创建这样的查询(对于c#的MS Sql server):

SqlCommand getPersons = new SqlCommand("SELECT * FROM Table WHERE Name = @Name", conn); 

Here @Name is the parameter where you want to avoid sql injection and conn is an SqlConnection object. Then to add the parameter value you do the following:

这里的@Name是要避免sql注入的参数,而conn是SqlConnection对象。然后添加以下参数值:

getPersons.Parameters.AddWithValue("@Name", theName);

Here theName is a variable that contains the name you are searching for.

在这里,ame是一个变量,它包含您要搜索的名称。

Now it should be impossible to do any sql injections on that query.

现在应该不可能对该查询执行任何sql注入。

Since it is this simple there is no reason not to use parameters.

因为它很简单,所以没有理由不使用参数。

#4


10  

Never trust user input - Validate all textbox entries using validation controls, regular expressions, code, and so on

不要信任用户输入——使用验证控件、正则表达式、代码等来验证所有文本框条目

Never use dynamic SQL - Use parameterized SQL or stored procedures

不要使用动态SQL——使用参数化的SQL或存储过程

Never connect to a database using an admin-level account - Use a limited access account to connect to the database

不要使用管理员级别的帐户连接到数据库——使用一个有限的访问帐户连接到数据库。

Don't store secrets in plain text - Encrypt or hash passwords and other sensitive data; you should also encrypt connection strings

不要将秘密存储在纯文本中——加密或哈希密码和其他敏感数据;您还应该加密连接字符串

Exceptions should divulge minimal information - Don't reveal too much information in error messages; use customErrors to display minimal information in the event of unhandled error; set debug to false

异常应该透露最少的信息——不要在错误消息中透露太多信息;使用customErrors在发生未处理错误时显示最小信息;设置调试错误

Useful link on MSDN Stop SQL Injection

MSDN停止SQL注入的有用链接

#5


4  

SQL injection occurs because the query to the database is being constructed in real time, for example:

之所以会出现SQL注入,是因为正在实时构造对数据库的查询,例如:

SELECT * From Table1 WHERE " + UserInput

UserInput may be malicious and contain other statements that you do not intend.

UserInput可能是恶意的,并且包含您不想要的其他语句。

To avoid it, you need to avoid concatenating your query together.

为了避免这种情况,您需要避免将查询连接在一起。

You can accomplish this by using parametrized queries - check out the DBCommand object for your particular DB flavor.

您可以通过使用参数化查询来完成这一任务——检查DBCommand对象是否具有特定的DB风格。

#6


3  

Use parametrized queries and/or stored procedures and parse your parameters via SQL parameters. Never generate SQL code by concatenating strings. Also do some reading about SQL injection and about writing secure code, because preventing SQL injection is only a small part of security. There is many more (like XSS - Cross Site Scripting). If a hacker wants to compromise your site/application he will look for more then only SQL injection.

使用参数化查询和/或存储过程,并通过SQL参数解析参数。永远不要通过连接字符串来生成SQL代码。还要阅读一些关于SQL注入和编写安全代码的内容,因为防止SQL注入只是安全的一小部分。还有更多(比如XSS -跨站点脚本)。如果黑客想要破坏您的站点/应用程序,他会寻找更多的SQL注入。

#7


3  

Scott Guthrie posted a decent little article about this a while back. In it, he offers 5 suggestions for protecting yourself:

斯科特·格思里(Scott Guthrie)不久前发表了一篇关于这方面的文章。在这篇文章中,他提出了5条保护自己的建议:

  1. Don't construct dynamic SQL Statements without using a type-safe parameter encoding mechanism. [...]

    不要在不使用类型安全参数编码机制的情况下构造动态SQL语句。[…]

  2. Always conduct a security review of your application before ever put it in production, and establish a formal security process to review all code anytime you make updates. [...]

    在将应用程序投入生产环境之前,始终对其进行安全检查,并建立一个正式的安全流程,以便在进行更新时检查所有代码。[…]

  3. Never store sensitive data in clear-text within a database. [...]

    不要在数据库中以明文形式存储敏感数据。[…]

  4. Ensure you write automation unit tests that specifically verify your data access layer and application against SQL Injection attacks. [...]

    确保编写自动化单元测试,具体验证数据访问层和应用程序是否受到SQL注入攻击。[…]

  5. Lock down your database to only grant the web application accessing it the minimal set of permissions that it needs to function. [...]

    锁定数据库,只授予访问它的web应用程序所需的最小权限集。[…]

He does a decent job of explaining why these are important, and links to several other resources as well...

他很好地解释了为什么这些是重要的,并链接到其他一些资源……

#8


2  

NEVER trust user input, always validate it, and use sql parameters. Should be enough basis to prevent SQL injection.

永远不要信任用户输入,始终验证它,并使用sql参数。应该有足够的基础防止SQL注入。

#9


1  

Hopefully, this will help:

希望这将有助于:

http://www.codersbarn.com/post/2008/11/01/ASPNET-Data-Input-Validation.aspx

http://www.codersbarn.com/post/2008/11/01/ASPNET-Data-Input-Validation.aspx

The short answer is to use parameterized queries.

简短的回答是使用参数化查询。

Anthony :-) www.codersbarn.com

安东尼:-)www.codersbarn.com

#10


1  

Always use only parameterized queries.

总是只使用参数化查询。

#11


0  

The book, "Building Secure ASP.NET Applications" guideline has a section on this topic.

《构建安全ASP》一书。NET Applications“指南有一个关于这个主题的部分。

#12


0  

As others have said, don't concatenate user input to create dynamic sql statements; always use parameterized SQL when using dynamic SQL. However I will point out that this rule also applies when creating dynamic sql inside of a stored proc. This fact is something people often overlook. They think they are safe because they are "using stored procedures."

正如其他人所说,不要连接用户输入来创建动态sql语句;使用动态SQL时总是使用参数化SQL。但是我要指出的是,当在存储的proc中创建动态sql时,这条规则也适用。他们认为自己是安全的,因为他们正在“使用存储过程”。

#13


0  

Use XSS Secured UrlEncode using Microsoft.Security.Application.AntiXss.UrlEncode and SQL injection will not work. Or You can use ASP.NET – JSON – Serialization and Deserialization

使用XSS安全UrlEncode使用microsoft.security.applic.antixss。UrlEncode和SQL注入不能工作。或者你也可以使用ASP。NET - JSON -序列化和反序列化

Also test your application with SiteDigger from Macfee Fre Tool.

还可以通过Macfee Fre工具对您的应用程序进行测试。

Few More are from here

这里的人很少

.NET Security Toolkit v1.0 .NETMon v1.0 Validator.NET v1.0

net Security Toolkit v1.0 . netmon v1.0验证器。净v1.0

#14


0  

Everyone says "Use parameters". We'd have to say it less if it wasn't so perversely difficult.

大家都说“使用参数”。如果不是那么困难的话,我们就不必多说了。

Use QueryFirst. The temptation to concatenate is removed, and the right way becomes the easiest way. You create a parameter just by typing @myParam in your SQL, the tool does the rest.

使用QueryFirst。连接的诱惑被移除,正确的方式成为最简单的方式。只需在SQL中输入@myParam,就可以创建一个参数,其余的都由该工具完成。

disclaimer: I wrote QueryFirst

免责声明:我QueryFirst写道

#15


-3  

Understand what exactly SQL Injection is and then never write anything that is vulnerable to it.

理解SQL注入到底是什么,然后永远不要写任何容易受到攻击的东西。

#16


-4  

Try to use Stored Procedures, and validate the input on your data. Do not use any direct SQL like INSERT INTO ...

尝试使用存储过程,并验证数据上的输入。不要使用任何直接的SQL,比如INSERT INTO…