How to prevent Sql-Injection on User-Generated Sql Queries

前端 未结 15 2187
伪装坚强ぢ
伪装坚强ぢ 2021-02-10 11:55

I have a project (private, ASP.net website, password protected with https) where one of the requirements is that the user be able to enter Sql queries that will directly query t

15条回答
  •  半阙折子戏
    2021-02-10 12:34

    My gut reaction is that you should focus on setting the account privileges and grants as tightly as possible. Look at your RDBMS security documentation thoroughly, there may well be features you are not familiar with that would prove helpful (e.g. Oracle's Virtual Private Database, I believe, may be useful in this kind of scenario).

    In particular, your idea to "Verify (using Regex) that the user has permission to access the tables being queried/updated, included in joins, etc." sounds like you would be trying to re-implement security functionality already built into the database.

提交回复
热议问题