1. 技术文章
  2. SQL Injection Prevention

SQL Injection Prevention

倖福魔咒の 提交于 2020-01-02 06:19:13

问题


I'm currently working on a legacy ASP project where security has now become a large concern. Not only is it insecure encryption methods (md5), but I'm worried about SQL injection problems. I'm not very good with injection quite yet, and I've tried only the basics of what I know. I've found the function which "secures" any user input, but I'm wondering if it is actually doing anything to prevent injection attacks. Here is the function:

function sqlfix(input)
    if not isnull(input) and input <> "" then
        input = replace(input, ";", "&#59;")
        input = replace(input, "'", "&#39;")
        input = replace(input, """", "&#34;")
        input = replace(input, "(", "&#40;")
        input = replace(input, ")", "&#41;")
        input = replace(input, "|", "&#124;")
        input = replace(input, "<", "&#60;")
        input = replace(input, ">", "&#62;")
        input = replace(input , "'", "''")
        'input = Server.HTMLEncode(input)
        'input = Server.UrlEncode(input)
        sqlfix = input
    else
        sqlfix = ""
    end if
end function

I remember doing something like this many years ago when I first started PHP with mysql_* functions, but now I've moved onto PDO and parameter binding. However I don't know how safe this is for ASP applications. Thanks for any input.


回答1:


Don't fall into the string-interpolation trap! It's not secure.

You can use real SQL query parameters even in ASP Classic.

I'm not an ASP programmer, but I found this blog with a clear example of using an ADODB.Command object for a parameterized SQL query, and binding values to parameters before executing.

http://securestate.blogspot.com/2008/09/classic-asp-sql-injection-prevention_30.html

Also see this SO question for some more examples of using named parameters:

ASP Classic Named Parameter in Paramaterized Query: Must declare the scalar variable




回答2:


This is as close as you can get to PDO in ASP Classic...

with createobject("adodb.command")
    .activeConnection = application("connectionstring")
    .commandText = "select * from sometable where id=?"
    set rs = .execute( ,array(123))
end with

How can I make a prepared statement in classic asp that prevents sql injection?




回答3:


The line 

input = replace(input , "'", "''")

is doing most of the work. What I have done for secure sites is several distinct functions for each datatype

fn_validstring replacing single quotes
fn_validnumber testing isnumeric 
fn_validint leveraging fn_validnumber and rounding
fn_bool 
etc ...

Replacing dynamic with stored procedures and removing all permissions except execute secures environment regardless.




回答4:


PDO and prepared statements are the best way to prevent SQL injections. Hand-writing SQL sanitization code like the code above is significantly more dangerous since there's a lot you can miss easily.

Using prepared statements will make the SQL statements secure.



来源:https://stackoverflow.com/questions/13573458/sql-injection-prevention

标签
mysql
sql
asp-classic
sql-injection
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!