1

我目前正在学习 ASP.NET MVC C# Code First。

在搭建视图或使用 Razor 语法帮助生成表单时,我注意到创建的代码将 html 表单元素名称设置为数据库中 db 表的确切名称。此外,这暴露了数据库结构和实体关系。

视图中的示例 Razor 语法

@Html.HiddenFor(model => model.Product.ProductType.Name)

生成的Html如下

<input id="Product_ProductType_Name" 
    name="Product.ProductType.Name" 
    type="hidden" value="Fruits" />

仅仅从这个生成的 html 的小片段中,系统的用户就可以知道有 2 个表和 db 中写入的字段名称:

  • 产品
  • 产品类别
  • 名称(产品类型字段)

有没有办法隐藏它,例如放入隐藏的表前缀,例如分别asdf_制作表名asdf_Product和,asdf_ProductType或者这不是必需的?

假设这是一个用户名/密码字段。潜在的黑客会确切地知道它应该尝试攻击的表的名称。

请告知我是否没有理由担心。

4

3 回答 3

2

Knowing table names is not in itself a vulnerability. Your application should be resilient to attack even if the table names are known.

After all if it has some vulnerability that allows queries to be executed for known table names then the attacker could just use query INFORMATION_SCHEMA.TABLES first and retrieve the table names.

Just make sure that you parameterise all queries and the account used by the site does not have unnecessary privileges

于 2013-06-06T15:23:43.697 回答
2

您可以为有问题的视图使用视图模型。这基本上包括创建一个新的模型类,您可以在其中仅添加必要的项目,并且可以根据需要更改字段的名称。

class FormViewModel
{
    string viewName;
    ...

    public FormViewModel(ProductType type)
    {
        viewName = type.Name;
        ...
    }
}

然后可以将其传递给视图以代替您的 EF 模型。当模型返回到 Action 时,您可以简单地反转该过程:

Product.ProductType.Name = model.viewName;

这也有助于避免将“垃圾”数据传递给视图——当你只需要一把勺子时,你并没有经过整个厨房。

于 2013-06-06T15:23:25.140 回答
0

Strange, showing the tablenames on the view? I prefer to use the models only to show data needed for the view. So you dont have to expose any structure. Just make a new layer for db-access, use the repository pattern and never make a call to your db from your controller. I would say its bad design. MVC is a view-pattern and a view with db-access is dangerous.

Make a new project for your db and use repository and unit of work pattern. Dont throw your viewmodels in the database, use them as data transfer objecs to validate the modelstate from the user input and keep the logic in other layers like businesslayer.

Seperation of concerns... I use an extra layer for dataasscess (DAL) and a common area for my entities.

And by the way, i hope you use [RequireHttps] and an Antiforgerytoken in your forms and your controllers.

于 2013-06-18T19:47:28.390 回答