0

So I'm about to create a simple site where users can input their own SQL queries, which I will be running on the server side.

I'm aware of SQL injection attacks and assume this could be fairly risky thing to do.

But (if there is any) what would be a safe way to allow this feature?

e.g. I can think of the following rules I can enforce.

  • Allow users to only "SELECT" - never allow UPDATE, DELETE (or anything else).
  • Allow users to only access certain tables (if I know them).

Are there any other security measures I should take?

4

2 回答 2

0

ElectricLlama 指出,除了安全问题外,性能可能也是一个问题。您可能希望提前获取查询的执行计划,如果查询看起来过于昂贵,则拒绝运行: 如何获得查询执行计划?

于 2013-04-12T07:28:49.217 回答
-1

除上述内容外,请确保将用户添加到db_datareader组中,这将使它们成为只读的。我猜您将使用单个用户来执行该数据库操作。

如果用户不小心做了几个交叉连接,你仍然会导致数据库失败:

SELECT *
FROM Table1,Table2,Table3
WHERE Table1.Field1=Table2.Field2
-- Oops I forgot to enter the Table3 Join condition 
-- so now I get a cross join which will cause havoc
-- If the table is of appreciative size

但无论如何,这仍然是有风险的!有人会发现一个安全漏洞!

于 2013-04-12T05:56:29.770 回答