C# 真的对sql注入感到困惑吗
获取了有关可能导致sql注入的错误的详细信息页面 URL编码的GET input classid设置为1和3*2*1=6,608=608 进行的测试:C# 真的对sql注入感到困惑吗,c#,sql,.net,sql-injection,C#,Sql,.net,Sql Injection,获取了有关可能导致sql注入的错误的详细信息页面 URL编码的GET input classid设置为1和3*2*1=6,608=608 进行的测试: 1*1*1*1=>TRUE 1*608*603*0=>FALSE 11*5*2*999=>错误 1*1*1=>TRUE 1*1*1*1*1*1=>TRUE 11*1*1*0*1*1*608=>FALSE 1和5*4=20和608=608=>TRUE 1和5*4=21和608=608=>FALSE。。。(行截断) 这是可能导致问题的源代码: i
- 1*1*1*1=>TRUE
- 1*608*603*0=>FALSE
- 11*5*2*999=>错误
- 1*1*1=>TRUE
- 1*1*1*1*1*1=>TRUE
- 11*1*1*0*1*1*608=>FALSE
- 1和5*4=20和608=608=>TRUE
- 1和5*4=21和608=608=>FALSE。。。(行截断)
if (!string.IsNullOrEmpty(Request.QueryString["classid"]))
{
string tSql = @" SELECT [Award_ID],[Award_Name],[Award_Info],[Award_Pic],[Award_Num],[Award_MoneyCost],[Award_MoneyGet],[Award_Type],[Award_AddDate],[Award_Hot],[Award_OnLineTime],[AwardProP],[PrizeSlidePic],[PrizeDetailPic],[PrizeBigSlidePic],[IsTop],[ClassID] FROM dbo.Web_Award WHERE ClassID={0} ";
DataTable data = DbSession.Default.FromSql(string.Format(tSql, Request.QueryString["classid"])).ToDataTable();
if (data.Rows.Count > 0)
{
rptList.DataSource = data;
rptList.DataBind();
}
}
else
{
string tSql = @" SELECT [Award_ID],[Award_Name],[Award_Info],[Award_Pic],[Award_Num],[Award_MoneyCost],[Award_MoneyGet],[Award_Type],[Award_AddDate],[Award_Hot],[Award_OnLineTime],[AwardProP],[PrizeSlidePic],[PrizeDetailPic],[PrizeBigSlidePic],[IsTop],[ClassID] FROM dbo.Web_Award ";
DataTable data = DbSession.Default.FromSql(tSql).ToDataTable();
if (data.Rows.Count > 0)
{
rptList.DataSource = data;
rptList.DataBind();
}
}
谁能告诉我怎么处理这个…非常感谢
现在我已经修改了我的代码
if (!string.IsNullOrEmpty(Request.QueryString["classid"]))
{
//string tSql = @" SELECT [Award_ID],[Award_Name],[Award_Info],[Award_Pic],[Award_Num],[Award_MoneyCost],[Award_MoneyGet],[Award_Type],[Award_AddDate],[Award_Hot],[Award_OnLineTime],[AwardProP],[PrizeSlidePic],[PrizeDetailPic],[PrizeBigSlidePic],[IsTop],[ClassID] FROM dbo.Web_Award WHERE ClassID={0} ";
string tSql = "SELECT [Award_ID],[Award_Name],[Award_Info],[Award_Pic],[Award_Num],[Award_MoneyCost],[Award_MoneyGet],[Award_Type],[Award_AddDate],[Award_Hot],[Award_OnLineTime],[AwardProP],[PrizeSlidePic],[PrizeDetailPic],[PrizeBigSlidePic],[IsTop],[ClassID] FROM dbo.Web_Award WHERE ClassID = @ClassID";
//DataTable data = DbSession.Default.FromSql(string.Format(tSql, Request.QueryString["classid"])).ToDataTable();
SqlConnection connection = new SqlConnection("Server=(local);Integrated Security=SSPI;database=DaysQP");
connection.Open();
SqlCommand command = new SqlCommand(tSql, connection);
command.Parameters.Add(new SqlParameter("@ClassId", System.Data.SqlDbType.Int));
command.Parameters["@ClassID"].Value = 1;
using (SqlDataReader dr = command.ExecuteReader())
{
var data = new DataTable();
data.Load(dr);
if (data.Rows.Count > 0)
{
rptList.DataSource = data;
rptList.DataBind();
}
}
connection.Close();
}
else
{
string tSql = @" SELECT [Award_ID],[Award_Name],[Award_Info],[Award_Pic],[Award_Num],[Award_MoneyCost],[Award_MoneyGet],[Award_Type],[Award_AddDate],[Award_Hot],[Award_OnLineTime],[AwardProP],[PrizeSlidePic],[PrizeDetailPic],[PrizeBigSlidePic],[IsTop],[ClassID] FROM dbo.Web_Award ";
DataTable data = DbSession.Default.FromSql(tSql).ToDataTable();
if (data.Rows.Count > 0)
{
rptList.DataSource = data;
rptList.DataBind();
}
}
但是问题仍然存在
最后通过使用参数化查询解决了这个问题
if (!string.IsNullOrEmpty(Request.QueryString["classid"]))
{
int number;
bool result = Int32.TryParse(Request.QueryString["classid"], out number);
if (result == false)
{
return;
}
//string tSql = @" SELECT [Award_ID],[Award_Name],[Award_Info],[Award_Pic],[Award_Num],[Award_MoneyCost],[Award_MoneyGet],[Award_Type],[Award_AddDate],[Award_Hot],[Award_OnLineTime],[AwardProP],[PrizeSlidePic],[PrizeDetailPic],[PrizeBigSlidePic],[IsTop],[ClassID] FROM dbo.Web_Award WHERE ClassID={0} ";
string tSql = "SELECT [Award_ID],[Award_Name],[Award_Info],[Award_Pic],[Award_Num],[Award_MoneyCost],[Award_MoneyGet],[Award_Type],[Award_AddDate],[Award_Hot],[Award_OnLineTime],[AwardProP],[PrizeSlidePic],[PrizeDetailPic],[PrizeBigSlidePic],[IsTop],[ClassID] FROM dbo.Web_Award WHERE ClassID = @ClassID";
//DataTable data = DbSession.Default.FromSql(string.Format(tSql, Request.QueryString["classid"])).ToDataTable();
SqlConnection connection = (SqlConnection)DbSession.Default.CreateConnection();
//SqlConnection("Server=(local);Integrated Security=SSPI;database=DaysQP");
connection.Open();
SqlCommand command = new SqlCommand(tSql, connection);
command.Parameters.Add(new SqlParameter("@ClassId", System.Data.SqlDbType.Int));
command.Parameters["@ClassID"].Value = number;
using (SqlDataReader dr = command.ExecuteReader())
{
var data = new DataTable();
data.Load(dr);
if (data.Rows.Count > 0)
{
rptList.DataSource = data;
rptList.DataBind();
}
}
connection.Close();
}注射的可能性在这里:
string tSql = @" SELECT [Award_ID],[Award_Name],[Award_Info],[Award_Pic],[Award_Num],[Award_MoneyCost],[Award_MoneyGet],[Award_Type],[Award_AddDate],[Award_Hot],[Award_OnLineTime],[AwardProP],[PrizeSlidePic],[PrizeDetailPic],[PrizeBigSlidePic],[IsTop],[ClassID] FROM dbo.Web_Award WHERE ClassID={0} ";
DataTable data = DbSession.Default.FromSql(string.Format(tSql, Request.QueryString["classid"])).ToDataTable();
您希望查询返回Web\u Award
表记录,这些记录的classId
与Request.QueryString[“classId”]
如果Request.QueryString[“classid”]
的值类似于:
1 or 1=1
然后查询变成:
select award_id,..... from web_awards where classId=1 or 1=1
最终你会返回你从未想过要返回的数据
本质上,这是sql注入,您可能会读到更多关于它的内容。使用存储过程或参数化查询可防止此类攻击。注入的可能性如下:
string tSql = @" SELECT [Award_ID],[Award_Name],[Award_Info],[Award_Pic],[Award_Num],[Award_MoneyCost],[Award_MoneyGet],[Award_Type],[Award_AddDate],[Award_Hot],[Award_OnLineTime],[AwardProP],[PrizeSlidePic],[PrizeDetailPic],[PrizeBigSlidePic],[IsTop],[ClassID] FROM dbo.Web_Award WHERE ClassID={0} ";
DataTable data = DbSession.Default.FromSql(string.Format(tSql, Request.QueryString["classid"])).ToDataTable();
您希望查询返回Web\u Award
表记录,这些记录的classId
与Request.QueryString[“classId”]
如果Request.QueryString[“classid”]
的值类似于:
1 or 1=1
然后查询变成:
select award_id,..... from web_awards where classId=1 or 1=1
最终你会返回你从未想过要返回的数据
本质上,这是sql注入,您可能会读到更多关于它的内容。使用存储过程或参数化查询可防止此类攻击。使用参数。不要连接SQL字符串。就是这么简单。使用参数。不要连接SQL字符串。就是这么简单。我已经修改了我的代码,但问题仍然存在,请你看看我的新代码。给我一些细节…你用什么来执行这些测试?您得到的确切错误是什么?我已将其作为答案发布。我已修改了代码,但问题仍然存在,请您查看我的新代码。请提供一些详细信息…您使用什么来执行这些测试?你得到的确切错误是什么?我已将其作为答案发布