问题
I have a requirement in AngularJs project on login and other form, to restrict user inputs which contain specific keywords like "SELECT","INSERT", "UPDATE", DELETE","DROP" etc in input fields. This will help us prevent SQL injection attacks.
Please let me know if we have any angularjs library to accomplish this. Or how can this be achieved efficiently using angularjs?
Thanks.
回答1:
Black list is NOT the answer in security. If you check for the word "select", the attacker will inject "sElEct" or "sel/**/ect" (in MySQL). If you split the words with spaces, the attacker will use comments ("/**/") or tabs as delimiters. You can never win with the black list approach (especially with whole words as you suggested), always use white list approach and allow only permitted characters (a-z,A-Z,0-9 for example).
Any client-side validation is bound to fail. An attacker can easily attack any Javascript-based "Defenses" with any simple proxy such as fiddler or burp. You should implement your white list input validation in your server side code alongside parametrized queries or some other best-practice to prevent SQL Injection in the DAL level (both are recommended together).
来源:https://stackoverflow.com/questions/24528523/angularjs-how-to-restrict-user-inputs-which-contain-sql-query-keywords-for-sq