SQL databases are commonly used to store data; for example - your application could store user profile information in a database. Yous should never create inline SQL or other database queries in your code using raw user input and send it directly to the database; this behavior is a recipe for disaster, as we saw above.

For example - do not create code like the following inline SQL example:

string userName = Request.QueryString["username"]; // receive input from the user BEWARE!

...

string query = "SELECT *  FROM  [dbo].[users] WHERE userName = '" + userName + "'";

Here we concatenate text strings together to create the query, taking the input from the user and generating a dynamic SQL query to look up the user. Again, if a malicious user realized we were doing this, or just tried different input styles to see if there was a vulnerability, we could end up with a major disaster. Instead, use parameterized SQL statements or stored procedures such as this:

-- Lookup a user

CREATE PROCEDURE sp_findUser

(

@UserName varchar(50)

)

SELECT *  FROM  [dbo].[users] WHERE userName = @UserName

With this method you can invoke the procedure from your code safely, passing it the userName string without worrying about it being treated as part of the SQL statement.

[Security] Always use parameterized queries的更多相关文章

  1. What is the difference between parameterized queries and prepared statements?

    Both parameterized queries and prepared statements are exactly the same thing. Prepared statement se ...

  2. Creating dynamic/configurable parameterized queries in Entity Framework

    https://dillieodigital.wordpress.com/2013/05/09/creating-dynamicconfigurable-parameterized-queries-i ...

  3. EF 5 最佳实践白皮书

    Performance Considerations for Entity Framework 5 By David Obando, Eric Dettinger and others Publish ...

  4. 1.3 DVWA亲测sql注入漏洞

    LOW等级   我们先输入1 我们加上一个单引号,页面报错 我们看一下源代码: <?php if( isset( $_REQUEST[ 'Submit' ] ) ) { // Get input ...

  5. Node.js安全清单

    前言 安全性,总是一个不可忽视的问题.许多人都承认这点,但是却很少有人真的认真地对待它.所以我们列出了这个清单,让你在将你的应用部署到生产环境来给千万用户使用之前,做一个安全检查. 以下列出的安全项, ...

  6. OLE DB Command transformation 用法

    OLE DB Command transformation component 能够引用参数,逐行调用sqlcommand,This transformation is typically used ...

  7. PHP 关于SQL注入的防范措施。

    最近在使用框架的时候还是有点不安,不知道框架的设计者有没有考虑到SQL-Injection的问题,我在顶层需不需要做一些必要的过滤等等,由 此我特意的去StackOverflow看了下,真是获益良多, ...

  8. php 防止sql注入

    Q:如果把用户输入的没有任何改动的放到SQL的查询语句中,很有可能会导致SQL注入,比如说下面的例子: $unsafe_variable = $_POST['user_input']; mysql_q ...

  9. 教你50招提升ASP.NET性能(二十四):ORM小窍门

    ORM TipsORM小窍门 More and more people are using Object to Relational Mapping (ORM) tools to jump the d ...

随机推荐

  1. 上传docker镜像到阿里云镜像源

    阿里云docker镜像配置 阿里云用户名可以使用淘宝系的,或者新注册都行. a. 配置阿里云的镜像加速器:加速器 然后在线上创建`镜像仓库`,需要设置`命名空间`和`仓库名称`,然后接着操作下面的步骤 ...

  2. The driver is automatically registered via the SPI and manual loading of the driver class....

    Loading class `com.mysql.jdbc.Driver'. This is deprecated. The new driver class is `com.mysql.cj.jdb ...

  3. Unity - 简单实现音频管理系统

    简单实现Unity音频管理脚本,便于长短音频的播放控制和音量控制等,核心方法为对象池的应用. 项目地址:AudioPlay - SouthBegonia 包含方法: 持有所有 AudioSource ...

  4. Redis读写分离(三)

    1.redis高并发跟整个系统的高并发之间的关系 redis,要搞高并发的话,不可避免,要把底层的缓存搞得很好 mysql,高并发,做到了,那么也是通过一系列复杂的分库分表,订单系统,事务要求的,QP ...

  5. kubernetes-dashboard登录出现forbidden 403

    登录k8s dashboard https://xxxxx:6443/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard ...

  6. Chrome 谷歌开发者工具使用窍门

    我们这里介绍主要的几块:Console.Source.Network Console 大家都有用过各种类型的浏览器,每种浏览器都有自己的特色,本人拙见,在我用过的浏览器当中,我是最喜欢Chrome的, ...

  7. sqlserver 2005 数据库的差异备份与还原

    找到一个可靠的步骤,点开链接:http://blog.csdn.net/kevindr/article/details/22154323

  8. idea忽略并隐藏.idea文件夹.iml文件不提交到svn

    File-->setting-->Editor-->File Types 选中.boringignore,添加*.iml;.idea;即可

  9. Android数据库GreenDao配置版本问题

    感谢该贴解决我多天的困惑:https://blog.csdn.net/u013472738/article/details/72895747 主要是降低了GreenDao版本 网上很多教程说的版本都是 ...

  10. 使用SAP Cloud Application Programming模型开发OData的一个实际例子

    刚刚过去的SAP TechEd上,SAP CTO Juergen Mueller向外界传递了一个重要的信息:身处云时代大环境下的SAP从业者,在SAP云平台上该如何选择适合自己的开发方式? Juerg ...