问题描述
我遇到一个主要问题,我不知道如何在CLR / C ++中编写SQL语句时防止SQL注入
下面是代码
I am having a major problem where I do not know how to prevent SQL injection when writing SQL statements in CLR/C++Below is the code
String^ sqlstr = "SELECT * FROM ";
sqlstr += tableName + " WHERE " + field + " = " + fieldEntity;
我需要能够为该语句输入正确的SQL注入预防措施。
I need to be able to input correct SQL Injection preventions to this statement.
背景代码
class database
{
protected:
string fieldEntity;
string tableName;
string field;
...
____
OleDbDataReader^ openData(String^ fieldEntity, String^ field, String^ tableName)
{
String^ sqlstr = "SELECT * FROM ";
sqlstr += tableName + " WHERE " + field + " = " + fieldEntity;
...
___
OleDbDataReader^ reader2 = testData.openData(effectID, "effectID", "effectOnUser");
while (reader2->Read())
{
Object^ dHealthptr = reader2["effectOnHealth"];
Object^ dTirednessptr = reader2["effectOnTiredness"];
Object^ dHappinessptr = reader2["effectOnHappiness"];
...
推荐答案
有两种方法为防止SQL注入,SQLCLR的环境不会对此进行更改:
There are two ways to prevent SQL Injection and the environment of SQLCLR does not change this:
- 首选机制是使用参数化查询。不同的语言和库以不同的方式进行处理,但是至少您应该能够使用准备好的语句。 请注意,这不适用于不能接受变量的方案,例如
tableName
和field
请参阅:
- The preferred mechanism is by using parameterized queries. Different languages and libraries go about this in different ways, but at the very least you should be able to use prepared statements. Please note that this does not apply to scenarios that could not accept a variable, such as with
tableName
andfield
in your code.
Please see:
- Issuing a Parameterized Query
- Using Stored Procedures
对输入进行消毒:
Sanitize the inputs:
- 最小裸线,到目前为止最常见的要求是通过将单引号加倍来对其进行转义(即
'
变为''
) b $ b -
另外(以下是我在DBA.StackExchange上的一个相关答案的引文):
- Bare minimum, and by far the most common, requirement is to escape single quotes by doubling them (i.e.
'
becomes''
) Additionally (below is a quote from a related answer of mine on DBA.StackExchange):
因此,请确保适当调整字符串输入参数的大小。对于声明为 VARCHAR(25)
的列,您不需要 VARCHAR(500)
。请参阅我在DBA.StackExchange上的答案以获取更多详细信息和示例:
So, be sure to properly size the string input parameters. You don't need VARCHAR(500)
for a column that is declared as VARCHAR(25)
. Please see my answer on DBA.StackExchange for more details and examples:Why does SQL Injection not happen on this query inside a stored procedure?
这篇关于使用带有多个变量的CLR / C ++时,如何防止SQL语句被SQL注入?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!