Sharepoint Database Security - SQL injection_问答_开发者

Sharepoint Database Security - SQL injection

开发者 https://www.devze.com 2023-02-18 10:23 出处：网络

I\'ve developed a custom web part for SharePoint, and I\'m concerned about its security.The web part is essentially a quiz framework that begins by having a user \'register\'; they simply enter their

I've developed a custom web part for SharePoint, and I'm concerned about its security. The web part is essentially a quiz framework that begins by having a user 'register'; they simply enter their name and email address. For successful quizzes, the result is recorded in a list, and those registration variables are placed directly into the list.

Should I be concerned about SQL injection attacks? Is the data escaped by SharePoint before it's added to the list? Or, does SharePoint use named parameters with a prepared statement? Alternatively, does it just go in verbatim?

Thanks for any insight.

UPDATE

I should maybe rephrase that I am inserting code into a SharePoint list, so it's not going 'directly' into the database. I'm uncertain about the process that takes places (specifically regarding security) when an item is inserted into a list and (I'm assuming) into a database table somewhere. Here is some of the code I'm using:

Get user input through standard HTML input

 output.Write("<div>Please enter your e-mail address</div><div><input type=\"text\" value=\"\" size=\"30\" name=\"takerEmail\"></div>");

Here is how the data is inserted

            using (SPSite siteSuccessWrite = new SPSite("http://www.mycompany.com"))
            {
                using (SPWeb webSuccessWrite = siteSuccessWrite.OpenWeb())
                {
                    SPList insertResults = webSuccessWrite.Lists[resultsList];
          开发者_运维百科          SPListItem quizEntry = insertResults.Items.Add();

                    quizEntry["firstName"] = firstName;
                    quizEntry["lastName"] = lastName;
                    quizEntry["email"] = email;
                    quizEntry["phone"] = phone;
                    quizEntry["department"] = dept;
                    quizEntry["score"] = score;

                    quizEntry.Update();
                }
            }

When using the object model you won't have to worry about SQL Injection as Sharepoint handles that for you (it uses parameterized stored procedures internally).

You DO have to worry about XSS and the likes though when showing the Quiz Results to the user/judge though, as unescaped HTML can easily call the SharePoint Web Services/Client Object Model and do stuff in the context of the current user.

Are you writing the SQL yourself? If not, I'd test it by conducting some SQL injection attacks of your own. Try entering data like John Smith' -- into a name field and see if the quote and dashes end up in the database. If they don't (or you get no data at all), there may be a SQL injection vulnerability. (Note that this is not an exhaustive test - so don't rely on it)

I would assume that SharePoint contains protection against SQL injection, otherwise every 2nd government and large enterprise site would be done over. (On second thoughts, disregard that :)

For Cross-Site Scripting attacks, try some of the ones from here: http://ha.ckers.org/xss.html