0

I'm developing a application that's for SQL-surveillance, it's just a console application that will run each 5min on a bunch of servers. It has a config file with connection string and sql query. The thing is I would like the program to accept SELECT queries only.

I colleague told me he thought I could set something in the SqlCommand-class but I've been googling for a while without any success. Anyone got a clean solution on my problem? I've thought about searching the query for different words but it's to much that can go wrong.

Any suggestions are welcome!

4

3 回答 3

2

可以限制数据库表本身。
您可以撤消所有权限,但可以从应用程序的用户中进行选择。
搜索REVOKE/GRANTSQL-SERVER 的命令。

于 2010-09-06T10:20:13.617 回答
0

除非您的应用程序自己构建整个 SELECT 语句,否则这是不可能的。

问题是,即使您确保第一个单词是 SELECT,也没有什么可以阻止恶意用户终止命令,然后也发出 EXEC 或 UPDATE 语句。

最好的解决方案是确保连接字符串中引用的用户帐户对 SQL 对象具有有限的权限,因此只有支持对象中的 SELECT 才能工作。

于 2010-09-06T10:19:57.827 回答
-2

授予权限将是更好的方法,但您仍然可以解析语句,即使它是一系列 SQL 命令,使用如下所示:

bool OkToRun = true;
foreach(string s in TheQueryString.Split(";".ToCharArray(), StringSplitOptions.RemoveEmptyEntries))
    if (!s.Trim().ToUpper().StartsWith("SELECT "))
        OkToRun = false;
于 2010-09-06T10:29:02.753 回答