1

I have been attacked on my last few questions here for writing code that is open to injections. I am looking for honest help to make sure I am finally doing this the safest and correct way. Please give me any tips to make this as secure as possible.

using (SqlConnection conn = new SqlConnection(""))
        {
            try
            {
                SqlCommand cmd = new SqlCommand(@"INSERT dbo.Table (FullName, Category, Street, City, State, Zip, PhoneDay, PhoneEven, Email, Employer, Description, UserName, 
                                                  UserStreet, UserCity, UserState, UserZip, UserPhoneDay, UserPhoneEven, UserEmail, SubmitDate) 
                                                  VALUES (@f1, @f2, @f3, @f4, @f5, @f6, @f7, @f8, @f9, @f10, @f11, @f12, @f13, @f14, @f15, @f16, @f17, @f18, @f19, @f20)", conn);
                conn.Open();
                cmd.Parameters.Add("@f1", SqlDbType.NVarChar, 100).Value = NameTxtBox.Text;
                cmd.Parameters.Add("@f2", SqlDbType.NVarChar, 100).Value = HeroicList.SelectedValue;
                cmd.Parameters.Add("@f3", SqlDbType.NVarChar, 100).Value = StreetTxtBox.Text;
                cmd.Parameters.Add("@f4", SqlDbType.NVarChar, 100).Value = CityTxtBox.Text;
                cmd.Parameters.Add("@f5", SqlDbType.NVarChar, 100).Value = StateTxtBox.Text;
                cmd.Parameters.Add("@f6", SqlDbType.NVarChar, 100).Value = ZipTxtBox.Text;
                cmd.Parameters.Add("@f7", SqlDbType.NVarChar, 100).Value = PhoneDayTxtBox.Text;
                cmd.Parameters.Add("@f8", SqlDbType.NVarChar, 100).Value = PhoneEvenTxtBox.Text;
                cmd.Parameters.Add("@f9", SqlDbType.NVarChar, 100).Value = EmailTxtBox.Text;
                cmd.Parameters.Add("@f10", SqlDbType.NVarChar, 100).Value = EmpTxtBox.Text;
                cmd.Parameters.Add("@f11", SqlDbType.NVarChar, 100).Value = WhyTxtBox.Text;
                cmd.Parameters.Add("@f12", SqlDbType.NVarChar, 100).Value = UserNameTxtBox.Text;
                cmd.Parameters.Add("@f13", SqlDbType.NVarChar, 100).Value = UserStreetTxtBox.Text;
                cmd.Parameters.Add("@f14", SqlDbType.NVarChar, 100).Value = UserCityTxtBox.Text;
                cmd.Parameters.Add("@f15", SqlDbType.NVarChar, 100).Value = UserStateTxtBox.Text;
                cmd.Parameters.Add("@f16", SqlDbType.NVarChar, 100).Value = UserZipTxtBox.Text;
                cmd.Parameters.Add("@f17", SqlDbType.NVarChar, 100).Value = UserPhoneDayTxtBox.Text;
                cmd.Parameters.Add("@f18", SqlDbType.NVarChar, 100).Value = UserPhoneEvenTxtBox.Text;
                cmd.Parameters.Add("@f19", SqlDbType.NVarChar, 100).Value = UserEmailTxtBox.Text;
                cmd.Parameters.Add("@f20", SqlDbType.DateTime).Value = DateTime.Now.ToString();
                cmd.ExecuteNonQuery();

                messageLabel.Text = "Your submission has been sent!";
                messageLabel.Visible = true;
            }
            catch (System.Data.SqlClient.SqlException ex)
            {
                messageLabel.Text = ex.Message;
                messageLabel.Visible = true;
            }
        }
4

1 回答 1

4

您在插入方面受到保护,是的。使用您的代码,用户在任何文本框中输入的内容(或他们在他们可以制作的任何其他类型的响应中输入的内容)都没有关系,除了将他们的数据卡在新行的字段中之外,不会发生任何事情给定的表格,就像给你的字符串一样。

有人可以恶意注入代码的唯一方法(想到的)取决于您如何使用数据库中的数据。例如,如果您从该表中取出一个字段并将其粘贴到 a 中LiteralControl而不转义任何内容并将其显示给其他用户,那么有人可能会粘贴他们在另一个人的机器上运行的讨厌的 JavaScript 代码。那将是“跨站点脚本”攻击。为防止这种情况发生,您需要确保在显示任何用户输入的数据之前对其进行清理。

于 2013-08-09T18:32:26.630 回答