工作日志5/27 - SQL Parameterization & Character Count

最新推荐文章于 2020-09-11 22:01:29 发布
原创 最新推荐文章于 2020-09-11 22:01:29 发布 · 458 阅读 · 0 ·
CC 4.0 BY-SA版权
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。

本文介绍了修复一个存在SQL注入漏洞的在线目录系统的经历,通过使用参数化查询替代字符串拼接,增强了系统的安全性。

今天主要任务就是把Online Directory那个表格的错误修好,主要是擦之前老头的屁股上的屎,他没用SQL injection,所以我要用Parameterization来修复所有的。

用了

strAcademics =
                        @"INSERT INTO [OnlineDirectoryFacultyAcademics] (
                          SerialId, 
                          EDUCATION, 
                          TEACHING, 
                          RESEARCH, 
                          CreativeActivities, 
                          EXTENSION, 
                          PROFESSIONAL, 
                          GeneralPosDescr, 
                          SPECIALTY, 
                          AreaOfResearch,  
                          ApplicationsOfResearch,  
                          COMMITTEEACTIVITIES,  
                          GRANTS,  
                          PATENTS, 
                          PUBLICATIONS, 
                          AWARDS, 
                          VITA,
                          FORMERPOSITIONSHELD,
                          LINKTOMYPAGE, 
                          AREAOFSTUDYINTEREST, 
                          WANTTOBEEXPERT, 
                          MODIFIEDBY, 
                          PROFILEAPPROVED, 
                          PHOTO,  
                          DATETIMEMODIFIED, 
                          BIOGRAPHY ) 
                          VALUES(@SerialId, 
                          @Education,
                          @Teaching,
                          @Research,
                          @CreativeActivities,
                          @Extension, 
                          @Professional,
                          @GenPosDescr,
                          @Specialty,
                          @AreaOfResearch, 
                          @ApplicationsOfResearch, 
                          @CommitteeAct,
                          @Grants,
                          @Patents,
                          @Publications,
                          @Awards,
                          '" + uploadedFile + "'," +
                          @"@FHP,
                          @Link,
                          @Area,
                          '" + bExpert + "'," +
                          "'" + LoginUserName + "'," +
                          "'" + profileApproved + "'," +
                          "'" + uploadedPhoto + "'," +
                          "'" + DateTime.Now.ToLocalTime() +
                          "',@Bio)";
                        /*
						"VALUES " +
						"( " +
						"   " + Request.QueryString["SerialId"] + ", " +
						"   '" + ChangeString(txtEducation.Text) + "', " +
						"   '" + ChangeString(txtTeaching.Text) + "', " +
						"   '" + ChangeString(txtResearch.Text) + "', " +
						"   '" + ChangeString(txtCreativeActivities.Text) + "', " +		//	JM, 4/24/12 - Code added for "Creative Activities" field
						"   '" + ChangeString(txtExtension.Text) + "', " +
						"   '" + ChangeString(txtProfessional.Text) + "', " +
						"   '" + ChangeString(txtGenPosDescr.Text) + "', " +	//	JM, 4/23/12 - Code added for "General Position Description" field
                        "   '" + ChangeString(txtSpecialty.Text) + "', " +
                        // "   '" + ChangeString(txtAreaOfResearch.Text) + "', " +//added CQ
                        // "   '" + ChangeString(txtApplicationsOfResearch.Text) + "', " +//added CQ
                        "   '" + ChangeString(txtCommitteeAct.Text) + "', " +
						"   '" + ChangeString(txtGrants.Text) + "', " +
						"   '" + ChangeString(txtPatents.Text) + "', " +
						"   '" + ChangeString(txtPublications.Text) + "', " +
						"   '" + ChangeString(txtAwards.Text) + "', " +
						"   '" + uploadedFile + "', " +
						"   '" + ChangeString(txtFHP.Text) + "', " +
						"   '" + ChangeString(txtLink.Text) + "', " +
						"   '" + ChangeString(txtArea.Text) + "', " +
						"   '" + bExpert + "', " +
						"   '" + LoginUserName + "', " +
						"   '" + profileApproved + "', " +
						"   '" + uploadedPhoto + "', " +
						"   '" + DateTime.Now.ToLocalTime() + "', " +
						"   '" + ChangeString(txtBio.Text) + "' " +
                        ")";*/
                    SqlCommand cmdAcademics = new SqlCommand(strAcademics, dbConn);
                    cmdAcademics.Parameters.AddWithValue("@SerialId", Request.QueryString["SerialId"]);
                    cmdAcademics.Parameters.AddWithValue("@Education",  txtEducation.Text);
                    cmdAcademics.Parameters.AddWithValue("@Teaching",  txtTeaching.Text);
                    cmdAcademics.Parameters.AddWithValue("@Research",  txtResearch.Text);
                    cmdAcademics.Parameters.AddWithValue("@CreativeActivities",  txtCreativeActivities.Text);
                    cmdAcademics.Parameters.AddWithValue("@Extension",  txtExtension.Text);
                    cmdAcademics.Parameters.AddWithValue("@Professional",  txtProfessional.Text);
                    cmdAcademics.Parameters.AddWithValue("@GenPosDescr",  txtGenPosDescr.Text);
                    cmdAcademics.Parameters.AddWithValue("@Specialty",  txtSpecialty.Text);
                    cmdAcademics.Parameters.AddWithValue("@AreaOfResearch",  txtAreaOfResearch.Text);
                    cmdAcademics.Parameters.AddWithValue("@ApplicationsOfResearch",  txtApplicationsOfResearch.Text);
                    cmdAcademics.Parameters.AddWithValue("@CommitteeAct",  txtCommitteeAct.Text);
                    cmdAcademics.Parameters.AddWithValue("@Grants",  txtGrants.Text);
                    cmdAcademics.Parameters.AddWithValue("@Patents",  txtPatents.Text);
                    cmdAcademics.Parameters.AddWithValue("@Publications",  txtPublications.Text);
                    cmdAcademics.Parameters.AddWithValue("@Awards",  txtAwards.Text);
                    cmdAcademics.Parameters.AddWithValue("@FHP",  txtFHP.Text);
                    cmdAcademics.Parameters.AddWithValue("@Link",  txtLink.Text);
                    cmdAcademics.Parameters.AddWithValue("@Area",  txtArea.Text);
                    cmdAcademics.Parameters.AddWithValue("@Bio",  txtBio.Text);
                    cmdAcademics.ExecuteNonQuery();
 
                }	//	End SQL to Add new record to Academics Table
                //moved up to the two conditions by CQ 5/27/2014
                //SqlCommand cmdAcademics = new SqlCommand(strAcademics, dbConn);
                //cmdAcademics.ExecuteNonQuery();
				academicsInserted = true;
			}
			catch (Exception ex)
			{
				if (dbConn.State == ConnectionState.Open)
				{
					dbConn.Close();
				}
				LogToDatabase(ex.ToString());
				academicsInserted = false;
			}
之前他那个changeString为了达到同样的目的,把单引号转换成两个单引号,但是如果SQL statement里面出现双引号也是不行的,他fails to do so,parameterize是最好的解决方法。用到了AddWithValue这个method,比较直白。

需要注意的是,bExpert是个int值,我这里要是把他放在SQL语句的引号里面,他会自动把“bExpert”这个string传过去,就错了,我搞了半天,原来发现传进去的就是string,于是改回来,就好了。

另个活,就是改动validation的,在asmx文件里,

<asp:TextBox ID="txtGenPosDescr" runat="server" Rows="8" TextMode="MultiLine" Width="350px"
					Visible="False" onKeyDown="textCounter2('txtGenPosDescr','txtRemLen2',1500)"
					onKeyUp="textCounter2('txtGenPosDescr','txtRemLen2',1500)" Font-Names="Arial"
					Font-Size="Small" MaxLength="1500"></asp:TextBox>
				<asp:TextBox ID="txtRemLen2" runat="server" ReadOnly="True" Width="30px" Visible="False"
					ForeColor="blue"></asp:TextBox>
				<asp:RegularExpressionValidator ID="RegularExpressionValidator1" runat="server" ControlToValidate="txtGenPosDescr"
					Display="Dynamic" ErrorMessage="Max 1500 characters" Font-Bold="True" ValidationExpression="^[\s\S]{0,1500}$"
					></asp:RegularExpressionValidator>
里面有两个,一个数还剩多少数值,script里另外有专门的textCounter2()method与之对应,一个是数超没超过最大值,都是动态的,鼠标一点开文本框就会给出结果,很酷。

最后git 如果comment最后不是自己,应该clone到本地,在继续work,目前因为只有一个fork,所以就不能合作了。

量化技术Post-Training Quantization for Re-parameterization via Coarse & Fine Weight Splitting解读
bug404
01-18 1094
尽管神经网络在各类应用中取得了显著进展,但它们需要大量的计算和内存资源。网络量化是一种强大的神经网络压缩技术,能够实现更高效、可扩展的人工智能部署。最近,重参数化作为一种有前景的技术崭露头角,它可以在提升模型性能的同时减轻各类计算机视觉任务中的计算负担。然而,在重参数化网络上应用量化时,准确率会显著下降。我们发现,主要挑战源于原始分支间权重分布的巨大差异。为解决这一问题,我们提出一种粗-细权重拆分(CFWS)方法以降低权重的量化误差,并开发一种改进的KL度量来确定激活的最优量化尺度。
NX二次开发UF-CURVE-ask-parameterization 函数介绍
06-21
NX二次开发UF_CURVE_ask_parameterization 函数介绍,Ufun提供了一系列丰富的 API 函数,可以帮助用户实现自动化、定制化和扩展 NX 软件的功能。无论您是从事机械设计、制造、模具设计、逆向工程、CAE 分析等领域的...
SQL Server 参数化 PARAMETERIZATION
weixin_30949361的博客
11-04 242
ALTER DATABASE dbname SET PARAMETERIZATION SIMPLE --默认 ALTER DATABASE dbname SET PARAMETERIZATION FORCED --强制 ,不一定好用 在简单参数化的默认行为下,SQL Server 只对相对较少的一些查询进行参数化。但是,您可以通过将 ALTER DATABASE 命令...
SQL-工作日
trans_101010的博客
11-13 323
某一字段中的内容需要替换(’被替换成&acute;) a 表中的B字段中的“'”要被替换成&acute; select * from a where charindex('\^d',b)>0
浙江03工作日按人员查询 sql
meteor_1988的专栏
09-08 130
with a as ( select acm.name username, count(worklog.logtypeid) totallog, sum(decode(worklog.logtypeid,'ec229560-f915-449d-ae35-3f60903c9197',1,0)) dailylog, sum(decode(worklog...
有效防止sql注入的方法_sql注入有效负载列表
weixin_26747751的博客
09-11 550
有效防止sql注入的方法In this section, we’ll explain what SQL injection is, describe some common examples, explain how to find and exploit various kinds of SQL injection vulnerabilities, and summarize how to pr...
动态sql--------绝对好文!
yethyeth的专栏
01-16 6574
The Curse and Blessings of Dynamic SQLAn SQL text by Erland Sommarskog, SQL Server MVP.An earlier version of this article is also available in Korean, German, Spanish and Vietnames
Find-Sec-Bugs 漏洞范例
zhaohonghan的博客
04-03 1万+
Find-Sec-Bugs 漏洞范例 欢迎使用Markdown编辑器 你好! 这是你第一次使用 Markdown编辑器 所展示的欢迎页。如果你想学习如何使用Markdown编辑器, 可以仔细阅读这篇文章,了解一下Markdown的基本语法知识。 新的改变 我们对Markdown编辑器进行了一些功能拓展与语法支持,除了标准的Markdown编辑器功能,我们增加了如下几点新功能,帮助你用它写博客: ...
SQL Server 2005 术语词汇表
小旭的技术博客
10-08 2467
术语 定义 ActiveX 数据对象 (ActiveX Data Objects) 一种易于使用的应用程序编程接口 (API),用于封装 OLE DB 以在诸如 Visual Basic、Visual Basic for Applicatio
sql词汇表
Angelo Lee's Blog
10-07 2898
<!--alimama_pid="mm_11186767_1172611_2612486";alimama_titlecolor="0000FF";alimama_descolor ="000000";alimama_bgcolor="FFFFFF";alimam
斯坦福大学计算机类课程视频
热门推荐
寸先生的AI道路
10-27 1万+
斯坦福大学计算机类课程都是以CS开头编号,可以在网址https://exploredegrees.stanford.edu/coursedescriptions/cs/查询,在网上可以登录查看课程的课件和视频等,在B站上可以搜索到部分带中文字幕的授课视频,名校的视频确实非常板扎。B站:https://search.bilibili.com/all?keyword=%E6%96%AF%E5%9D%A...
In file included from /home/robocon/vinsmono_ws/src/VINS-Mono/vins_estimator/src/factor/pose_local_parameterization.cpp:1: /home/robocon/vinsmono_ws/src/VINS-Mono/vins_estimator/src/factor/pose_local_parameterization.h:8:1: error: expected class-name before &lsquo;{&rsquo; token 8 | { | ^ make[2]: *** [VINS-Mono/vins_estimator/CMakeFiles/vins_estimator.dir/build.make:115:VINS-Mono/vins_estimator/CMakeFiles/vins_estimator.dir/src/factor/pose_local_parameterization.cpp.o] 错误 1 make[2]: *** 正在等待未完成的任务.... In file included from /home/robocon/vinsmono_ws/src/VINS-Mono/vins_estimator/src/estimator.h:16, from /home/robocon/vinsmono_ws/src/VINS-Mono/vins_estimator/src/estimator_node.cpp:11: /home/robocon/vinsmono_ws/src/VINS-Mono/vins_estimator/src/factor/pose_local_parameterization.h:8:1: error: expected class-name before &lsquo;{&rsquo; token 8 | { | ^ In file included from /home/robocon/vinsmono_ws/src/VINS-Mono/vins_estimator/src/estimator.h:16, from /home/robocon/vinsmono_ws/src/VINS-Mono/vins_estimator/src/estimator.cpp:1: /home/robocon/vinsmono_ws/src/VINS-Mono/vins_estimator/src/factor/pose_local_parameterization.h:8:1: error: expected class-name before &lsquo;{&rsquo; token 8 | { | ^ /home/robocon/vinsmono_ws/src/VINS-Mono/vins_estimator/src/estimator.cpp: In member function &lsquo;void Estimator::optimization()&rsquo;: /home/robocon/vinsmono_ws/src/VINS-Mono/vins_estimator/src/estimator.cpp:678:16: error: &lsquo;LocalParameterization&rsquo; is not a member of &lsquo;ceres&rsquo;
最新发布
07-12
#include &quot;ceres/local_parameterization.h&quot; ``` 如果未找到此头文件,请检查 Ceres 是否已正确安装,并确认编译时的 include 路径是否包含 Ceres 的安装目录。 - **命名空间使用错误**:在 Ceres 中,`...
[ 71%] Building CXX object VINS-Fusion/vins_estimator/CMakeFiles/vins_lib.dir/src/estimator/feature_manager.cpp.o /home/y/vins-fusion/src/VINS-Fusion/loop_fusion/src/pose_graph.cpp: In member function &lsquo;int PoseGraph::detectLoop(KeyFrame*, int)&rsquo;: /home/y/vins-fusion/src/VINS-Fusion/loop_fusion/src/pose_graph.cpp:409:47: warning: comparison of integer expressions of different signedness: &lsquo;DBoW2::EntryId&rsquo; {aka &lsquo;unsigned int&rsquo;} and &lsquo;int&rsquo; [-Wsign-compare] 409 | if (min_index == -1 || (ret[i].Id &lt; min_index &amp;&amp; ret[i].Score &gt; 0.015)) In file included from /home/y/vins-fusion/src/VINS-Fusion/loop_fusion/src/ThirdParty/DBoW/DBoW2.h:63, from /home/y/vins-fusion/src/VINS-Fusion/loop_fusion/src/keyframe.h:24, from /home/y/vins-fusion/src/VINS-Fusion/loop_fusion/src/pose_graph.h:28, from /home/y/vins-fusion/src/VINS-Fusion/loop_fusion/src/pose_graph.cpp:12: /home/y/vins-fusion/src/VINS-Fusion/loop_fusion/src/ThirdParty/DBoW/TemplatedVocabulary.h: In instantiation of &lsquo;void DBoW2::TemplatedVocabulary&lt;TDescriptor, F&gt;::loadBin(const string&amp;) [with TDescriptor = boost::dynamic_bitset&lt;&gt;; F = DBoW2::FBrief; std::string = std::__cxx11::basic_string&lt;char&gt;]&rsquo;: /home/y/vins-fusion/src/VINS-Fusion/loop_fusion/src/ThirdParty/DBoW/TemplatedVocabulary.h:439:5: required from &lsquo;DBoW2::TemplatedVocabulary&lt;TDescriptor, F&gt;::TemplatedVocabulary(const string&amp;) [with TDescriptor = boost::dynamic_bitset&lt;&gt;; F = DBoW2::FBrief; std::string = std::__cxx11::basic_string&lt;char&gt;]&rsquo; /home/y/vins-fusion/src/VINS-Fusion/loop_fusion/src/pose_graph.cpp:64:39: required from here /home/y/vins-fusion/src/VINS-Fusion/loop_fusion/src/ThirdParty/DBoW/TemplatedVocabulary.h:1529:29: warning: comparison of integer expressions of different signedness: &lsquo;unsigned int&rsquo; and &lsquo;int32_t&rsquo; {aka &lsquo;int&rsquo;} [-Wsign-compare] 1529 | for(unsigned int i = 0; i &lt; voc.nNodes; ++i) | ~~^~~~~~~~~~~~ /home/y/vins-fusion/src/VINS-Fusion/loop_fusion/src/ThirdParty/DBoW/TemplatedVocabulary.h:1553:29: warning: comparison of integer expressions of different signedness: &lsquo;unsigned int&rsquo; and &lsquo;int32_t&rsquo; {aka &lsquo;int&rsquo;} [-Wsign-compare] 1553 | for(unsigned int i = 0; i &lt; voc.nWords; ++i) | ~~^~~~~~~~~~~~ [ 72%] Building CXX object VINS-Fusion/vins_estimator/CMakeFiles/vins_lib.dir/src/factor/pose_local_parameterization.cpp.o [ 73%] Building CXX object VINS-Fusion/vins_estimator/CMakeFiles/vins_lib.dir/src/factor/projectionTwoFrameOneCamFactor.cpp.o [ 75%] Building CXX object VINS-Fusion/vins_estimator/CMakeFiles/vins_lib.dir/src/factor/projectionTwoFrameTwoCamFactor.cpp.o [ 76%] Building CXX object VINS-Fusion/
03-26
嗯,用户给了一个编译输出的日,里面有几个警告,还有构建进度。看起来用户可能是在编译VINS-Fusion项目时遇到了问题,需要帮助解决这些警告或者理解这些信息。首先,我需要分析这些警告的具体内容和原因。 首先...
6/16 表格完成 服务no element found
wcq3692012的专栏
06-18 813
其中一个call service出错是因为DB读取的数字,不能是“”,所以我在js里面设置了判断,使之默认为0如无输入。 另外在textarea的width上,我直接用了textarea标签,而不是input 再选type这样没有用。 最后安娜提出应该在用户输入完成之后便validate输入,而不是在submit之前,也有道理。 SQLExecute Error: Could not
6/12 writing mockups - REST and SOPA
wcq3692012的专栏
06-13 811
早上一开机,等了10分钟还是still waiting
5/29工作日-组会记录,Email address validation
wcq3692012的专栏
05-30 763
今早开周会,讨论全校范围内的如何提高efficiency,
6/18 Protecting email addresses from spam bots
wcq3692012的专栏
06-19 754
之前是用就解决了,但是现在网上的一些bot会自动lia
7/23 Ajax .NET save content automatically and redirect to same page without new tabs
wcq3692012的专栏
07-24 698
这两天改Form,比较有意思的是从
SQL case when,create, delete table
wcq3692012的专栏
08-06 692
今天做了几个report,用了不少sql语句,bijia
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值