什么是避免SQL注入的C＃.NET平台上的最佳方式。

What would be the best way to avoid SQL injection on the C#.net platform.

请发布一个C＃实现，如果您有任何。

Please post an C# implementation if you have any.

推荐答案

十大事情可以做是安全的（这些没有人会做这一切。）

Top 10 things we can do to be safe (No one of these will do it all.)

采用的概念，即所有的数据都是邪恶的。所有数据，甚至存储在数据库或在我们的文件系统中的数据的嫌疑。从我们的防火墙像查询字符串，表单字段，饼干等任何外界的应用程序不只是数据输入可以用来破坏系统。

Adopt the notion that, "All data is evil." All data, even the data stored in the database or on our file system is suspect. Not just data input from apps outside our firewall like query strings, form fields, cookies, etc. Anything can be used to compromise a system.

不要依赖于JavaScript的客户端验证或HTML字段长度，甚至 使用客户端验证服务器端Web的API。用它来提高可用性，但不依赖于它作为唯一的后卫。知道由像NET工作的API提供如何验证。不要把他们视为理所当然。还有他们周围的方式。

Don't rely on client-side validation of javascript or html field lengths or even server-side web APIs that use client-side validation. Use it to improve usability, but don't rely on it as the sole guard. Know how validators provided by APIs like NET work. Don't take them for granted. There are ways around them.

做积极的匹配来捕获所有的数据，因为它去。如果该数据匹配的普通恩pression字符范围，那么它的好。这将禁止怪异的单code字符到我们的数据库可能会意外地分隔的东西在SQL或产生其他问题，如单应XSS /网络钓鱼攻击。与此相反，负匹配要求所有的坏角色，这似乎增加所有的时间列表。这是一个不错的办法。正匹配较好。我们拒绝坏数据，不消毒或逃避它。

Do positive matching to catch all data as it goes in. If the Data matches character ranges of a regular expression, then it's okay. This disallows weird unicode characters into our database that might accidentally delimit something in sql or create other problems like Homographic XSS/Phishing Attacks. In contrast, Negative matching requires lists of all the bad characters, which seem to grow all the time. This is a bad approach. Positive matching is better. We reject bad data, don't sanitize or escape it.

如果可能，可以考虑过滤，下垂，或捕捉字符串数据与更新，删除，落，选择，改变，等等。这是不可能给出的性质该字符串。 1212 Lemondrop LN，Waltersburg，PA，和岩石表，网元是有效的地址字段。运行的所有表数据的每日扫描为匹配任何这些可以揭示延迟发作或vulnerabilties字段。同时登录，禁用IP，电子邮件警报，等等等等的数据来自入站可以使用。

When possible, consider filtering, flagging, or catching string data with "update", "delete", "drop", "select", "alter", etc. This may not be possible given the nature of the string. "1212 Lemondrop Ln", "Waltersburg, PA", and "Table Rock, NE" are valid address fields. Running a daily scan of all table data for fields that match any of these could reveal delayed attacks or vulnerabilties. Also logging, ip banning, email alerts, etc etc could be used as the data comes inbound.

使用存储过程和/或尽可能多的参数化查询。既避免在数据库客户端code和SQL动态SQL。 （避免与动态code，在存储过程的外部部分EXEC语句！）参数将难逃像撇号，抓字段长度和类型检查字符串终止符。我们不能总是依赖于提供的参数是完美的API，但他们写的人更了解数据库特质比我们大多数人的。

Use stored procedures and/or parameterized queries as much as possible. Avoid dynamic sql both in db client code and in sql. (Avoid exec statements with dynamic code with external sections in your stored procedures!!!) Parameterization will escape string terminators like the apostrophe, catch field lengths, and type check. We can't always rely on the APIs that provide parameterization to be perfect, but they are written by people much more aware of database idiosyncracies than most of us.

确保没有遗漏任何code是围坐在一个世界可读/可执行web目录。如果它不是活性位点的一部分，归档安全的地方，并从公众视野中删除。同样适用于未使用的存储过程。

Be sure that no stray code is sitting around in a world readable/executable web directory. If it's not part of the active site, archive it somewhere secure and delete it from public view. Same goes for unused stored procedures.

保持最新的数据库API。在一些API执行SQL语句的一些方法的安全性不如其他人。

Stay up to date on the database APIs. Some ways of executing SQL statements in some APIs are not as secure as others.

存储密码安全地单向加密。通过这种方式，用户名和密码的表转储还是应该将他们拒之门外。

Store passwords securely with one-way encryption. This way, a table dump of usernames and passwords should still keep people out.

哈登在所有常用的方法服务器。例如，如果可能的话，给最低权限的数据库表。严格限制对表有问题的Web服务器数据库帐户的访问。只使用读尽可能多地。创建创造公共和内部/托管业务的访问权限之间的鸿沟多个帐户。

Harden the server in all the usual ways. For example, when possible, give least privilege on database tables. Limit access of web server database accounts strictly to the tables in question. Use read only as much as possible. Create multiple accounts that create a divide between the access rights of public and in-house/trusted traffic.

发现错误优雅。这是对所有code，不是仅为了使用数据库C $℃。 SQL注入攻击专门做依托的错误消息不过，所以它是理想的隐藏尽可能是可能对公众数据库。总是写code，处理异常或空数据集香草的方式，揭示尽可能少什么类型的数据库，我们正在使用，哪些领域是我们的表，或如何我们什么样的查询运行。在服务器上记录错误。即使在非数据库code，最好还是保持沉默第三方组件，文件夹结构，其他的服务，我们可能正在运行等给予malacious用户尽可能少的信息越好，关键是让他们无言以对。

Catch errors gracefully. This goes for all code, not just code that uses the database. Sql injection attacks specifically do rely on error messages however and so it's desirable to hide as much as is possible about the database from the public. Always write code that handles exceptions or empty datasets in a vanilla fashion as to reveal as little as possible about what type of database we're using, what the fields are in our tables, or how what kind of queries we're running. Log errors on the server. Even in the non-database code, it's best to keep quiet about third party components, file folder structures, other services we may be running, etc. Giving malacious users as little information as possible is key to keeping them clueless.

和＃11，永远重温/修改这个列表。始终保持最新状态。要积极主动。使之成为前期优先级和需要，而不是以后想。

And #11, always revisit/revise this list. Always be up to date. Be proactive. Make it an upfront priority and requirement, not an after thought.