应该使用存储过程,sql命令参数对象,验证控件和MD5加密的多重防范
解决方案 »
- 如何在gridview的每条数据后面加一个确认已阅读键?
- UpdatePanel中不能刷新水晶报表的数据吗?
- 如何给listbox的每个item增加一个checkbox
- 怎么计算今天是今年的第几个星期?
- 地址栏内有中文内容,浏览器认不了,需要改变编码,如何改
- 请问如何在visual studio 中做性能测试?
- table 滚动条 在线等待
- 用datalist分页中使用Enabled属性的样式问题
- 新做完个一。NET项目,大家给点意见!
- 有人做过DropDownList的联动吗?
- 求:取得文件夹下面的所有文件,把文件名加载到DataGrid里面!
- ASP.NET移植问题,在线等................................
如何处理?Access数据库情形呢?
Html: 在显示出来前先用这个函食处理 HttpUtility.HtmlEncode(to show str)
或在web.config中加入<pages validateRequest="true">也行
在html方面是不是应该有些允许呢?.而只是防止一些恶意的代码应该是哪些呢
主要防范的就是恶意sql命令。
1 如果后台数据库使用的是Sql Server这样的大型数据库,不要使用在代码中直接使用Sql命令字符串这样的方式操作数据库,应尽量使用存储过程执行。2 操作数据库输入等向数据库输入内容时,尽量使用OleDbParameter或SqlParameter这两个数据库参数对象,利用这个对象来向数据库传输内容。3 如果必须使用代码内硬编码用户输入 + Sql操作命令时,在用户输入的地方防止用户输入恶意代码,必须加上去除符号的验证控件。
一般我使用RegularExpressionValidator控件控制用户输入,如防止aaa' or '1'='1这样的注入攻击,我设置它的ValidationExpression属性为“[A-Za-z0-9]*”(不包括引号),仅允许输入字母和数字,任何其他符号包括空格都不允许。
讲得很详细呀,
学习
Posted: 01 Mar 2004 09:38 PM
Web applications constantly face serious attacks that result from inproper input validation. One popular attack is cross site scripting, which may allow an attacker to hijack another user's session or authentication state. Another is sql injection, which can lead to disclosure or tampering with your backend database. Of course, many others are possible in applications that perform tasks based on client input without proper validation. The series of guidelines below should help you determine an optimal strategy when securing your ASP.NET applications. While the exact validations details depend on what kind of input you expect, the overall guidelines are as follows: 1. Enable ValidateRequest (enabled by default in v1.1). This will detect most dangerous input that contains an XSS attack. 2. Do server validation. Client validation can be easily bypassed, in fact too easily to count on it. You can take advantage of our validator controls: http://www.dotnetjunkies.com/quickstart/aspplus/doc/webvalidation.aspx 3. Only accept legal input (using regular expressions), reject all else. Do no attempt to scan the input for invalid content. 4. If you cannot restrict legal input (such as you can social security numbers) and must accept more or less free form input (such as forums posts), sanitize it by removing dangerous characters/content you are aware of. Do not use this instead of 3 where possible. 5. If you must display input from the user, or data derived from it, HtmlEncode it. You can use HttpServerUtility.HtmlEncode(). 6. If you use the input to drive database queries, use stored procedures with db parameters, or sql queries with db parameters if you cant use stored procedures. Never build the sql query as a string. See ADO.NET documentation for more info on using parameters, for example: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/vbcon/html/vbtsksettinggettingdatacommandparameters.asp
Check out the security architecture guide for more information: http://msdn.microsoft.com/library/en-us/dnnetsec/html/THCMCh10.asp?frame=true#c10618429_006
一般我使用RegularExpressionValidator控件控制用户输入,如防止aaa' or '1'='1这样的注入攻击,我设置它的ValidationExpression属性为“[A-Za-z0-9]*”(不包括引号),仅允许输入字母和数字,任何其他符号包括空格都不允许。
---------------------------------------------------------------------------------
我是这么想的,你可以判断 他的返回行数是不是=1,
考虑上不能使用存储过程参数的Access情形
但是access情形呢
你会如何处理
{
v = v.Replace("<", "<");
v = v.Replace(">", ">");
v = v.Replace("'", "''");
v = v.Replace(" ", " ");
v = v.Replace("\n", "<br>");
v = v.Replace("\r\n", "<br>");
v = v.Trim();
return v;
}在textbox 中限制长度..这样一般的就可以了..
sql,用参数,就不会有问题,否则用户告诉你我就要用这个名字或密码,你怎么办