Related knowledge:
- A SQL command string can be constructed from the concatenation of strings, but the concatenation of the SQL command string is an important cause of the "SQL injection attack".
- Consider the following example: Retrieves the category information for name "Bikes" from the ProductCategory table. (The sample database uses the Red Book Database: adventureworks_wroxssrs2012)
- If you want to rely on a string, you will write:
string " Bikes " ; string " SELECT ProductCategoryID, Name from production.productcategory WHERE name= ' " " ' ";
Note: The single quotation mark is the start and end of the string.
- However, if the name variable is not hardcoded by the program, but is entered by the user (for example, from a page input box), then there may be an "illegal" input. For example:
string name "Bikes"; DELETE from Production.productcategory; ' " ; string " SELECT ProductCategoryID, Name from production.productcategory WHERE name= ' " " ' ";
Note: After bikes, a single quotation mark is added to make the "... Name= ' + name + ' ' constitutes a statement of a valid SQL statement that is executed as follows:
" SELECT ProductCategoryID, Name from production.productcategory WHERE name= ' Bikes '; DELETE from Production.productcategory; ";
In this case,Strcmd executes the SELECT statement first , and then executes the DELETE statement.
- This situation is extremely dangerous. The source is the single quotation mark as the beginning and end of the string, the user illegally entered the string by the program's SQL string stitching, the database poses a serious threat. This is known as a SQL injection attack.
- because the injection attack is caused by single quotation marks, it is a natural way to alleviate this by not having the single quotation mark interpreted as the "start and end character of a string", but as a single quote symbol only.
code example:
1 Static voidMain (string[] args)2 {3 stringUserName ="XXX";4 stringPassword ="xxx ' OR ' 1 ' = ' 1";//constructs a string that might generate a SQL injection attack5 stringStrcmd ="SELECT AccountID from account WHERE accountname= '"+ UserName +6 "' and password= '"+ Password +"'";
7 //The following statement replaces the single quotation mark with two single quotes, so that it no longer represents the beginning and end of the string, thus eliminating the SQL injection attack8 //strcmd = Strcmd.replace ("'", "" ");9 Ten stringstrconn =@"Server=joe-pc;database=accountdbforsqlinjection;uid=sa;pws=root"; OneSqlConnection conn =NewSqlConnection (strconn); A Conn. Open (); -SqlCommand cmd =NewSqlCommand (STRCMD, conn); -SqlDataReader dr =cmd. ExecuteReader (); the if(Dr. Read ()) - { -Console.WriteLine ("Login Successful!"); - } + Else - { +Console.WriteLine ("The user name or password is wrong!"); A } at Conn. Close (); - } -
Program Analysis:
- The program is intended to be: if username and password in the data match exists, then return the user corresponding AccountId, indicating the success of the login, if not match, it means failure.
- However, after designing a SQL injection attack string (see sample code), regardless of the type of user name and password, will eventually log on successfully.
- Cancel strcmd = Strcmd.replace ("'", "" "); Comment, running the program again, throws a SQL exception, which indicates that the SQL statement is considered to be non-compliant and theSQL injection attack fails.
Ado. NET QuickStart--sql injection attacks