如何防止JS注入攻击
问题描述:
你好,
我创建了一个简单的表单来按用户提交数据,
我发现有些用户错过了它并插入了60000条记录,
我不确定他如何在不到5分钟的时间内插入这些记录
我的表单在.net 3.5框架下,并且@page指令具有validaterequest ="true"
任何想法我怎么能提高我的应用程序安全性!
Hello there
I created a simple form to submit data by users,
i found that some user missed up with it and inserted 60000 record,
m not sure how he managed to insert these records in less than 5 min
my form is under .net 3.5 framework , and @page directive has validaterequest="true"
any idea how can i increase my application security!!!
答
不知道您的表单如何工作,很难回答,但是基本规则是:从不连接字符串以形成SQL命令-始终使用参数化查询.我不知道您的工作状况如何,但是在C#中,您将替换为:
Without knowing how your form works, it is difficult to answer, but the basic rules are: never ever concatenate strings to form SQL commands - always use parametrized queries. I don''t know how you are doing yours, but in C#, you would replace:
SqlCommand cmd = new SqlCommand("INSERT INTO myTable (textColumn) VALUES ('" + myTextBox.Text + "')", con);与
SqlCommand cmd = new SqlCommand("INSERT INTO myTable (textColumn) VALUES (@TX)", con);
cmd.Parameters.AddWithValue("@TX", myTextBox.Text);