不确定在哪里发布这个问题,但我担心答案的安全性,所以我的目标就在这里。
我有一个运行的Web服务可靠地返回一个数据集,并允许我提供一个列表现在下拉列表框返回的记录。
我想从DDL捕获用户选择并调用另一个Web服务以返回有关选择的详细信息。因此,在Web服务的查询中有一个WHERE stmt。我当然担心SQL注入。但我希望至少让SQL stmt正常工作。
选择是一个字符串字段类型,看起来像这样,
<WebMethod()> Public Function getDBrecords(ByVal FileName As String) As DataSet
Return GetDataSet("SELECT ID, ptMaster_ID, StrName, LngText, ShrtText, Lcode, Name, FROM tblMstStrng WHERE FileName = """ & FileName & """; ")
End Function
没有运气,它会因为SOAP错误而崩溃我的应用程序。
“无法自动进入服务器。附加到服务器进程失败。已连接dbugger。”
在我清除消息框后......
System.Web.Services.Protocols.SoapException was unhandled
Actor=""
Lang=""
Message="System.Web.Services.Protocols.SoapException: Server was unable to process request. ---> System.Data.SqlClient.SqlException: Invalid column name 'DD_EBSKW20_380_db.pts'. at System.Data.SqlClient.SqlConnection.OnError(SqlException exception, Boolean breakConnection) at System.Data.SqlClient.SqlInternalConnection.OnError(SqlException exception, Boolean breakConnection) at System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj) at System.Data.SqlClient.TdsParser.Run(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj) at System.Data.SqlClient.SqlDataReader.ConsumeMetaData() at System.Data.SqlClient.SqlDataReader.get_MetaData() at System.Data.SqlClient.SqlCommand.FinishExecuteReader(SqlDataReader ds, RunBehavior runBehavior, String resetOptionsString) at System.Data.SqlClient.SqlCommand.RunExecuteReaderTds(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, Boolean async) at System.Data.SqlClient.SqlCommand.RunExecuteReader(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, String method, DbAsyncResult result) at System.Data.SqlClient.SqlCommand.RunExecuteReader(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, String method) at System.Data.SqlClient.SqlCommand.ExecuteReader(CommandBehavior behavior, String method) at System.Data.SqlClient.SqlCommand.ExecuteDbDataReader(CommandBehavior behavior) at System.Data.Common.DbCommand.System.Data.IDbCommand.ExecuteReader(CommandBehavior behavior) at System.Data.Common.DbDataAdapter.FillInternal(DataSet dataset, DataTable[] datatables, Int32 startRecord, Int32 maxRecords, String srcTable, IDbCommand command, CommandBehavior behavior) at System.Data.Common.DbDataAdapter.Fill(DataSet dataSet, Int32 startRecord, Int32 maxRecords, String srcTable, IDbCommand command, CommandBehavior behavior) at System.Data.Common.DbDataAdapter.Fill(DataSet dataSet) at stringInfo.GetDataSet(String strSQL) in C:\Visual Studio 2008\WebSites\WebSite2\App_Code\stringInfo.vb:line 32 at stringInfo.getDBrecords(String dbName) in C:\Visual Studio 2008\WebSites\WebSite2\App_Code\stringInfo.vb:line 74 --- End of inner exception stack trace ---"
Node=""
Role=""
Source="System.Web.Services"
StackTrace:
at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, Boolean asyncCall)
at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)
at MultiLangWeb.localhost.stringInfo.getDBrecords(String dbName) in C:\Visual Studio 2008\Projects\MultiLangWeb\MultiLangWeb\Web References\localhost\Reference.vb:line 118
at MultiLangWeb.Main.Button6_Click(Object sender, EventArgs e) in C:\Visual Studio 2008\Projects\MultiLangWeb\MultiLangWeb\Main.Designer.vb:line 388
at System.Windows.Forms.Control.OnClick(EventArgs e)
at System.Windows.Forms.Button.OnMouseUp(MouseEventArgs mevent)
at System.Windows.Forms.Control.WmMouseUp(Message& m, MouseButtons button, Int32 clicks)
at System.Windows.Forms.Control.WndProc(Message& m)
at System.Windows.Forms.ButtonBase.WndProc(Message& m)
at System.Windows.Forms.Button.WndProc(Message& m)
at System.Windows.Forms.Control.ControlNativeWindow.WndProc(Message& m)
at System.Windows.Forms.NativeWindow.DebuggableCallback(IntPtr hWnd, Int32 msg, IntPtr wparam, IntPtr lparam)
at System.Windows.Forms.UnsafeNativeMethods.DispatchMessageW(MSG& msg)
at System.Windows.Forms.Application.ComponentManager.System.Windows.Forms.UnsafeNativeMethods.IMsoComponentManager.FPushMessageLoop(Int32 dwComponentID, Int32 reason, Int32 pvLoopData)
at System.Windows.Forms.Application.ThreadContext.RunMessageLoopInner(Int32 reason, ApplicationContext context)
at System.Windows.Forms.Application.ThreadContext.RunMessageLoop(Int32 reason, ApplicationContext context)
at Microsoft.VisualBasic.ApplicationServices.WindowsFormsApplicationBase.OnRun()
at Microsoft.VisualBasic.ApplicationServices.WindowsFormsApplicationBase.DoApplicationModel()
at Microsoft.VisualBasic.ApplicationServices.WindowsFormsApplicationBase.Run(String[] commandLine)
at MultiLangWeb.My.MyApplication.Main(String[] Args) in 17d14f5c-a337-4978-8281-53493378c1071.vb:line 81
at System.AppDomain._nExecuteAssembly(Assembly assembly, String[] args)
at Microsoft.VisualStudio.HostingProcess.HostProc.RunUsersAssembly()
at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)
at System.Threading.ThreadHelper.ThreadStart()
InnerException:
如果我使用WHERE子句删除查询,那么一切都适用于其他Web服务。
答案 0 :(得分:2)
一旦你解决了与你的实际问题无关的其他问题,你只需要参数化你的输入。因此,您的查询字面将变为:
"SELECT ID, ptMaster_ID, StrName, LngText, ShrtText, Lcode, Name, FROM tblMasterStringPTS WHERE FileName = @FileName"
我不确定你的实现是什么用于检索你的数据集,但我假设你在那里有一个SqlCommand对象。添加参数
command.Parameters.Add(New SqlParameter("@FileName", FileName))
应该非常接近你所需要的。
你去了,没有SQL注入风险。
有关详细信息,请访问this MSDN link.
答案 1 :(得分:1)
首先,问题看起来与作为Web服务无关,为什么不在服务器上运行一个探查器来查看命令究竟是什么命令到SQL服务器?
另一件事是你查询:建议使用存储过程。不仅为了便于管理,更重要的是为了安全起见。
你可以在这里找到一篇来自microsoft msdn杂志的精彩文章:http://msdn.microsoft.com/en-au/magazine/hh708755.aspx
答案 2 :(得分:0)
第一个问题是SQL Server QUOTED_IDENTIFIER设置为ON,因此它将文件名视为列名,因为它嵌入在双引号中。
您可以通过更改以下内容来解决此问题:
FileName = """ & FileName & """
到
FileName = "'" & FileName & "'"
这就是你接受这个行为的原因:
Invalid column name 'DD_EBSKW20_380_db.pts'
第二个问题是这对SQL注入攻击是完全开放的。您应该让被调用的方法向正在执行的命令添加参数,以文件名作为参数执行sql作为存储过程,或者(最少推荐)尝试清除任何潜在的SQL注入字符(即'和; )在提交之前自己从文件名中获取。