SQL Injection and SQL Injection

SQL Injection and SQL Injection

In the past, when I was working on the student information management system and data room charging system, SQL injection was a common problem, but I did not really understand what SQL injection was like. it was not until this time that I was doing a cool job that I took the example of a cool job. I realized that SQL injection was really dangerous.

Question:

We will first construct a simple program for adding news, and add a TextBox Control, a Button control, and a GridView control to a dynamic webpage. Shows the layout:

Then write the following code for the control:

First, let's look at the functions used to execute SQL statements in the SQLHelper class.

 <span style="font-size:18px;">public int ExecuteNonQuery(string sql)        {            int res;            try            {                cmd = new SqlCommand(sql,GetConn());                res = cmd.ExecuteNonQuery();            }            catch (Exception ex)            {                throw ex;            }            finally {                if (conn.State ==ConnectionState.Open)                {                    conn.Close();                }            }            return res;        }</span>

Then the Insert function is used to Insert data.

<span style="font-size:18px;"> public bool Insert(string caName)        {            bool flag = false;            string sql = "insert intocategory(name) values('"+caName +"')";            int res =sqlhelper.ExecuteNonQuery(sql);            if (res > 0)            {                flag = true;            }            return flag;        }</span>

Finally, write the Event code for clicking the button in the page code.

<span style="font-size:18px;"> protected void Button1_Click(object sender,EventArgs e)        {            string caName = TextBox1.Text;            bool b = newCategoryDAO().Insert(caName);            Response.Write(b);            GridView1.DataSource = newCategoryDAO().SelectAll();            GridView1.DataBind();        }</span>

Run the program after debugging. The result is as follows:

When we enter "Strange things" in the input box) delete category where id = 5 -- ", click the button and the result is as follows:

When I saw this result, I was shocked. so easily deleted the data in the database? Why? We extract the SQL statement from the code and then put the entered content to analyze the cause, as shown in figure

This is just a simple example of SQL injection, and there are many forms of SQL injection. As long as you can get the name of your database table (this is so easy for experts) and your code is not optimized for security, you can change or even delete your data at will, the above only deletes a record. If you change the statement to delete category, the data in the entire table will be cleared, and the consequences will be very serious.

Solution:

One way is to parameterize the input content, that is, to convert the original method of splicing an SQL statement into passing parameters into an SQL statement. Specifically, it is to transform the Insert function and rewrite the corresponding function in the SQLHelper class. The Code is as follows:

Let's take a look at how to rewrite the SQLHelper function:

 <span style="font-size:18px;">public int ExecuteNonQuery(string sql ,SqlParameter [] paras)        {            int res;            using (cmd =new SqlCommand (sql ,GetConn ()))            {                cmd.Parameters.AddRange(paras );                res =cmd .ExecuteNonQuery ();            }            return res;        }</span>

Then the optimization code of the Insert function:

<span style="font-size:18px;"> public bool Insert(string caName)        {            bool flag = false;            string sql = "insert into category(name) values(@caName)";            SqlParameter[] paras = new SqlParameter[]{                new SqlParameter ("@caName",caName )            };            int res = sqlhelper.ExecuteNonQuery(sql, paras);            if (res > 0)            {                flag = true;            }            return flag;        }</span>

After optimization, debug the program. The result is as follows:

In the input box, enter "Strange things") delete category where id = 2 -- ", and then click the button. What will happen? See:

So far, I believe you have an intuitive understanding and understanding of SQL injection. when you first started the system, you only knew to enter an odd number of single quotes in the input box, it may cause your system to report errors or even die. You can also operate internal databases by splicing SQL statements, so that you do not have a deep understanding of the dangers of SQL injection, now I understand that the problem was serious!