Home > Others

Talking about the data access layer from SQL injection

Source: Internet
Author: User
Tags net command
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

What is SQL injection?

SQL injection is what the developer of the application didn't expect. The SQL statement is passed into the application, and the application that constructs the SQL statement directly using the user input values is likely to be attacked by SQL injection. Especially in browser-based network applications, SQL injection attacks are more common.

The simple thing is to use the values entered by the user to build the SQL statements such as:

string sql= "select * from UserBase where id= '" +txtid.text+ "' and pwd= '" +txtpwd.text+ "' /c6> "; //Use "" to wrap user-entered values to build SQL statements
Demo

At this point we just enter "' or 1=1--" In the text box "txtID" so that regardless of whether he enters the correct account and password, he can log in to your application, and can even build SQL statements in this way directly to your system-level database

parameterized commands

The way the SQL statements are built is vulnerable to SQL injection, and using parameterized commands can effectively prevent SQL injection attacks.

As follows:

  1string sql = "select * from UserBase where [email protected] and [email protected]"; //Using placeholders for placeholders   2//assigns a value of   3 sqlparameter sp1=new SqlParameter ("@Id" to the placeholder, Txtid.text);   4 SqlParameter sp2=new SqlParameter ("@pwd", Txtpwd. Text);   5//Associate the parameter value with the command object   6 cmd. Parameters.Add (SP1);   7 cmd. Parameter.add (SP2);
SQL statements for parameterized commands

The above example uses placeholders to indicate values that need to be replaced dynamically during the program's run, by adding the @ symbol before the SQL text parameter.

Ado. NET command objects use a collection to hold discrete parameter types (3, 4 lines of code), which is the Parameters collection.

Users can add as many parameter objects as possible and map to placeholders in SQL statements (6, 7 lines of code).

Common properties of the SqlParameter class
DbType Gets or sets the DbType of the parameter
Direction Gets or sets a value that indicates whether the parameter is input-only, output-only, or bidirectional stored procedure return-value parameters
Isnulllable Gets or sets a value that indicates whether the parameter receives a null value
ParameterName Gets or sets the name of the SqlParameter
Size Gets or sets the maximum value of the data in the column
SqlDbType Gets or sets the DbType of the parameter
Value Gets or sets the value of this parameter
Calling a stored procedure with ADO
    1. Writing stored procedures on the data side
    2. Call a stored procedure
      1. Specify a stored procedure name for the Command object
          1 cmd.commandtext= "Name";
        Demo
      2. Specifies the command type of the commands object
          1 cmd.commandtype=commandtype.storedprocedure;
        Demo
    3. Stored Procedure return value
If the stored procedure has an output parameter, the value of the output parameter can be obtained by accessing the parameter collection of the command object again after executing the stored procedure

Talking about the data access layer from SQL injection

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Related Keywords:
about sql injection access sql server data from mysql import data from sql to access import data from access to sql server access sql injection entity framework data access layer example sql injection access database

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

What's Trending
Top 10 Tags
datastax versions naming convention zookeeper client class definition md5 microsoft sql server 2005 data structures exception handling error handling
Top 10 Keywords
microsoft download center down wordpress address url site address url wordpress address url windows installer 4 0 download 302 not found web address url definition site address url wordpress db2 integer mac os installation step by step pdf abbreviation for return

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More