SQL databases are commonly used to store data; for example - your application could store user profile information in a database. Yous should never create inline SQL or other database queries in your code using raw user input and send it directly to the database; this behavior is a recipe for disaster, as we saw above.

For example - do not create code like the following inline SQL example:

string userName = Request.QueryString["username"]; // receive input from the user BEWARE!

...

string query = "SELECT *  FROM  [dbo].[users] WHERE userName = '" + userName + "'";

Here we concatenate text strings together to create the query, taking the input from the user and generating a dynamic SQL query to look up the user. Again, if a malicious user realized we were doing this, or just tried different input styles to see if there was a vulnerability, we could end up with a major disaster. Instead, use parameterized SQL statements or stored procedures such as this:

-- Lookup a user

CREATE PROCEDURE sp_findUser

(

@UserName varchar(50)

)

SELECT *  FROM  [dbo].[users] WHERE userName = @UserName

With this method you can invoke the procedure from your code safely, passing it the userName string without worrying about it being treated as part of the SQL statement.

[Security] Always use parameterized queries的更多相关文章

  1. What is the difference between parameterized queries and prepared statements?

    Both parameterized queries and prepared statements are exactly the same thing. Prepared statement se ...

  2. Creating dynamic/configurable parameterized queries in Entity Framework

    https://dillieodigital.wordpress.com/2013/05/09/creating-dynamicconfigurable-parameterized-queries-i ...

  3. EF 5 最佳实践白皮书

    Performance Considerations for Entity Framework 5 By David Obando, Eric Dettinger and others Publish ...

  4. 1.3 DVWA亲测sql注入漏洞

    LOW等级   我们先输入1 我们加上一个单引号,页面报错 我们看一下源代码: <?php if( isset( $_REQUEST[ 'Submit' ] ) ) { // Get input ...

  5. Node.js安全清单

    前言 安全性,总是一个不可忽视的问题.许多人都承认这点,但是却很少有人真的认真地对待它.所以我们列出了这个清单,让你在将你的应用部署到生产环境来给千万用户使用之前,做一个安全检查. 以下列出的安全项, ...

  6. OLE DB Command transformation 用法

    OLE DB Command transformation component 能够引用参数,逐行调用sqlcommand,This transformation is typically used ...

  7. PHP 关于SQL注入的防范措施。

    最近在使用框架的时候还是有点不安,不知道框架的设计者有没有考虑到SQL-Injection的问题,我在顶层需不需要做一些必要的过滤等等,由 此我特意的去StackOverflow看了下,真是获益良多, ...

  8. php 防止sql注入

    Q:如果把用户输入的没有任何改动的放到SQL的查询语句中,很有可能会导致SQL注入,比如说下面的例子: $unsafe_variable = $_POST['user_input']; mysql_q ...

  9. 教你50招提升ASP.NET性能(二十四):ORM小窍门

    ORM TipsORM小窍门 More and more people are using Object to Relational Mapping (ORM) tools to jump the d ...

随机推荐

  1. C++ 二叉搜索树原理及其实现

    首先是概念:二叉搜索树又称二叉排序树,它具有以下的性质: 若是左子树不为空,则左子树上所有节点的值小于根节点的值 若是右子树不为空,则右子树上所有结点的值大于根节点的值 二叉搜索树的左右子树也是二叉搜 ...

  2. js中常见的创建对象的方法(1)

    工厂模式:抽象了创建具体对象的过程 function createPerson(name, age, job){ var obj = new Object(); obj.name = name; ob ...

  3. day49——圆形头像、定位、z-index、js

    day49 今日内容 圆形头像 <!DOCTYPE html> <html lang="en"> <head> <meta charset ...

  4. 【转】python测试框架--doctest

    转自https://my.oschina.net/lionets/blog/268542 doctest 是一个 Python 发行版自带的标准模块.有两种模式可供使用. ##1 doctest 的概 ...

  5. robotframework_百度登陆

    ** Settings *** Library Selenium2Library *** Test Cases *** login Open Browser https://www.baidu.com ...

  6. 《JAVA高并发编程详解》-wait和sleep

  7. 视频推流模式HLS,HTTP,RTSP,RTMP协议的区别

    HTTP: 先通过服务器将FLV下载到本地缓存,然后再通过NetConnection的本地连接来播放这个FLV,这种方法是播放本地的视频,并不是播放服务器的视频.因此在本地缓存里可以找到这个FLV.其 ...

  8. 要想获取select的值,使用ng-modle,否则无法获取select 的值

    ng-bind是从$scope -> view的单向绑定 ng-modle是$scope <-> view的双向绑定 <form role="form" c ...

  9. 企业如何避免错误决策?APS系统帮你忙

    一家企业不论什么事情都是有一定的决策者们,企业的决策者是对整个企业的兴衰成败主宰者主要责任. 战略一词它源于军事,是指为了获得有利的信息而进行的部署计划,那么现在战略合作也是被广泛的应用到商业的以及生 ...

  10. IDEA中安装及配置SVN

    1.TortoiseSvn(小乌龟下载地址): https://tortoisesvn.net/downloads.html 2.下载完SVN安装包后,在本机安装SVN(小乌龟),注意安装的时候添加上 ...