An example of horror:
Detailed explanation of injected attacks SQL below we will take a simple user login as an example, combined with code to explain in detail the SQL injection attack, and his precautions. For a simple user login The possible code is as follows:
Try
{
string strusername = This.txtUserName.Text;
string strpwd = This.txtPwd.Text;
String strSQL = "SELECT * from UserInfo where username= '" + strUserName + "' and password= '" + strpwd + "'";
SqlConnection OBJdbConn = new SqlConnection ("Database connection string");
SqlDataAdapter objadapter = new SqlDataAdapter (Strsql,objdbconn);
DataSet objdataset = null;
Objadapter.fill (objdataset);//todo to judge the data obtained.
}
catch (System.Exception e)
{
This.lblMsg.Text = E.message;
This.lblMsg.Visible = true;
}
In the above code, if the user's input is a normal user name and password, then the execution will be more normal, but, if you enter the user name, the input is "Johny"-"then the statement executed in SQL Server will be" select * FROM UserInfo where username= ' Johny '--' and password= ' password ', as long as the database exists Johny This user, then no matter what the password is, the statement can be executed successfully, and can successfully pass the login. And even more, we know that there are some system stored procedures in SQL Server that can execute many commands of the operating system, such as xp_cmdshell, if the user name part of the login is "Johny ' exec xp_cmdshell ' Format d:/s '--"and let's think about what the consequences are? Malicious users, as long as the ' format d:/s ' This command slightly modified to do a lot of illegal things.
. NET anti-SQL injection method
1, the method of using SqlCommand to transmit parameters:
string strSQL= "SELECT * FROM [user] WHERE [email protected]" ; SqlCommand cmd = new SqlCommand(); cmd.CommandText = strSQL; cmd.Parameters.Add( "@id" ,SqlDbType.VarChar,20).Value=Request[ "id" ].ToString(); |
2, Filter prohibited operation method:
/// <summary>
/// 过滤SQL语句,防止注入
/// </summary>
/// <param name="strSql"></param>
/// <returns>0 - 没有注入, 1 - 有注入 </returns>
public
int
filterSql(
string
sSql)
{
int
srcLen, decLen = 0;
sSql = sSql.ToLower().Trim();
srcLen = sSql.Length;
sSql = sSql.Replace(
"exec"
,
""
);
sSql = sSql.Replace(
"delete"
,
""
);
sSql = sSql.Replace(
"master"
,
""
);
sSql = sSql.Replace(
"truncate"
,
""
);
sSql = sSql.Replace(
"declare"
,
""
);
sSql = sSql.Replace(
"create"
,
""
);
sSql = sSql.Replace(
"xp_"
,
"no"
);
decLen = sSql.Length;
if (srcLen == decLen)
return
0;
else
return
1;
}
|
3, stored procedures
JS version of the protection against SQL injection attack code:
<script language=
"javascript"
>
<!--
var url = location.search;
var
re=/^\?(.*)(select%20|insert%20|
delete
%20from%20|count\(|drop%20table|update%20truncate%20|asc\(|mid\(|char\(|xp_cmdshell|exec%20master|net%20localgroup%20administrators|\
"|:|net%20user|\|%20or%20)(.*)$/gi;
var e = re.test(url);
if(e) {
alert("
地址中含有非法字符~
");
location.href="
error.asp";
}
//-->
<script>
|
Http://www.cnblogs.com/xiepeixing/archive/2012/11/13/2767733.html
Prevent SQL injection