SQL Injection attack prevention: where do I start

问题

I\'m looking to make my site secure against SQL injection attacks. Does anyone have any good links to make the site secure against these types of attacks in an ASP.NET site (c#, web forms)?

EDIT:

I should point out at I am using the Entity Framework

回答1:

The first and best line of defense is to not use dynamic SQL.

Always use parameterized queries.

Take a look at the OWASP page about SQL Injection.

回答2:

See these resources:

• How To: Protect From SQL Injection in ASP.NET (MSDN)

• Data Security: Stop SQL Injection Attacks Before They Stop You

• SQL Injection Attacks and Some Tips on How to Prevent Them

• Preventing SQL Injection in ASP.NET

Basically, as Oded already pointed out, it boils down to stop concatenating together your SQL statements - especially if that involves data entered by user's into textboxes - and use parametrized queries in ADO.NET.

回答3:

Have a look here:

Bobby Tables: A guide to preventing SQL injection

回答4:

This is a great series that covers the top 10 security threats to web applications and how to mitigate them using ASP.net: http://www.troyhunt.com/2010/05/owasp-top-10-for-net-developers-part-1.html

回答5:

It's easy. Most injection vulns come from code that looks like this:

var myQuery="SELECT something FROM somewhere WHERE somefield="+userSuppliedData;
//execute myQuery against db
//now suppose userSuppliedData=="'';DROP TABLE somewhere;"

If you're hand rolling sql statements like this, you're at risk. Consider using an ORM or parameterized queries.

回答6:

Use stored procedures with parameters and avoid inline SQL whenever possible...

回答7:

get data through parameters like:

string str = "insert into CustomerHistoryDD(logo,ceoPicture,ceoProfilePicture,coverPhoto,employee1,employee2,employee3,employee4) values(@param1,@param2,@param3,@param4,@param5,@param6,@param7,@param8)";
        SqlCommand cmd = new SqlCommand(str, con);
        con.Open();
        cmd.Parameters.AddWithValue("@param1", link);
        cmd.Parameters.AddWithValue("@param2", link1);
        cmd.Parameters.AddWithValue("@param3", link2);
        cmd.Parameters.AddWithValue("@param4", link3);
        cmd.Parameters.AddWithValue("@param5", tb_Emp1.Text);
        cmd.Parameters.AddWithValue("@param6", tb_Emp2.Text);
        cmd.Parameters.AddWithValue("@param7", tb_Emp3.Text);
        cmd.Parameters.AddWithValue("@param8", tb_Emp4.Text);
        cmd.ExecuteNonQuery();
        con.Close();
        lbl_msg.Text = "Data Saved Successfully";

来源：https://stackoverflow.com/questions/9162862/sql-injection-attack-prevention-where-do-i-start