Use dynamic SQL in sqlmap

Recently, several colleagues and friends asked how to "splice strings" in sqlmap, because sometimes the number of conditions is not fixed and the type of condition parameters is not fixed, an SQL statement such as @ parameter name cannot be written, which is also a "dynamic SQL" problem that is commonly said. The PDF. NET data development framework supports this function in version 1.0 and has been written in the sqlmap description, but no one can check it.

Here is a practical example to illustrate how to use dynamic SQL.

1. Run the following sqlmap script:

<Select commandname = "getremindsbywhere" commandtype = "text" method = "" Description = "query reminder records according to the condition" resultclass = "dataset"> <! [CDATA [select a. guid, A. remindttile, A. remindcontent, A. reminddate,
Case when a. isread = 0 then 'unhandled 'else' 'end isread, B. customername, C. modelname, B. guid userid
From wft_remindrecord
Left join wft_customer B on A. customerid = B. guid
Left join tb_common_modelinfo C on A. remindtypeid = C. modelid
Where 1 = 1 and # % tiaojian % #]> </SELECT>
</Commandclass>

If you use "replace parameter", you only need to enter one #% .. % #. You do not need to specify the parameter type, because "replace" itself is a replacement of the string. For example, the following method is incorrect:
Where 1 = 1 and # % tiaojian: String % #

You only need:
Where 1 = 1 and # % tiaojian % #

2. sqlmap Dal code:
Using the code generation tool, the above sqlmap script will generate the following Dal code:

/// <Summary>
/// Query reminder records based on conditions
/// </Summary>
/// <Returns> </returns>
Public dataset getremindsbywhere (string tiaojian)
{
// Obtain Command Information
Commandinfo cmdinfo = Mapper. getcommandinfo ("getremindsbywhere ");
// Execute parameter replacement
Using info. setparametervalue ("tiaojian", tiaojian, enumparamtype. replacedtext );
// Execute the query
Return currentdatabase. executedataset (currentdatabase. connectionstring, using info. commandtype, using info. commandtext, null );
//
} // End Function

The Code shows that the parameter "tiaojian" in the red parameter of the sqlmap script is mapped to the method parameter string tiaojian, and the parameter setting method is changed to the following method:
Using info. setparametervalue ("tiaojian", tiaojian, enumparamtype. replacedtext );

The key is to have an additional overload parameter: enumparamtype. replacedtext

When "replace Parameters" is used, it can be used flexibly when the number and type of parameters are not fixed. Otherwise, it is not recommended to use parameters of specific types as far as possible, avoid potential security risks caused by SQL injection.