存档

文章标签 ‘sql injection’

SQL Injection Mitigation: Using Parameterized Queries

2009年9月8日 评论已被关闭

本文详细介绍了如何做Use SQL Parameterized Queries.

阅读全文…

Giving SQL Injection the Respect it Deserves

2009年9月8日 评论已被关闭

michael总结了三个防御SQL注射的方法,都需要修改现有代码,虽然neil说输入过滤不是一个防止SQL注射的好办法,但我觉得它是一个通用的办法,对现有项目来说是一个好办法,对未来的项目,还是可以考虑结合michael在SDL里的建议去要求和规范。有一个现成的工具检查以下三点吗?

Use SQL Parameterized Queries
Use Stored Procedures
Use SQL Execute-only Permissions

阅读全文…

Input Validation Is Not The Answer

2009年9月8日 评论已被关闭

I just sent a piece of e-mail to my team about input validation and SQL injection and it occurred to me that I’ve been meaning to get into this here, too:

If you’re trying to solve a SQL injection problem, input validation is NOT the answer!

There, I’ve said it.   I keep seeing blog posts, forum posts, e-mail, etc, that say “Oh, you got hax0red by SQL injection, you should have been doing input validation”.  I’m sorry, but y’all are wrong, wrong, wrong, wrong.  Let me copy-and-paste my e-mail to explain why:

阅读全文…