SQL injection in layman's

Before the student information management system and computer room charging system, the problem of SQL injection is commonplace , but there is no real image of a vivid understanding of What is SQL injection . c11> until this time to do beef brisket in cow Teacher's example , understand the original SQL injection is really dangerous ah .

Questions raised

let's start by constructing a simple program that adds news categories, adds a TextBox control to a Dynamic Web page, a Button control, and a GridView control. The layout looks like this:

Then write code for the control as follows:

Let 's take a look at the functions in the SQLHelper class to execute SQL statements

<span style="FONT-SIZE:18PX;" >Publicint ExecuteNonQuery (String sql)  {   int res;   Try  {   cmd =New SqlCommand (Sql,getconn ());   res = cmd. ExecuteNonQuery ();  }   catch (Exception ex)  {    Throw ex;  }   finally {    IF (conn. State ==connectionstate.open)     {     Conn. Close ();    }  }   return res;  }</span>           

Then there is the function insert to insert the data.

<span style="FONT-SIZE:18PX;" >PublicBOOL Insert (String caname)  {   BOOL flag =False   string sql =  "Insert Intocategory (name) VALUES ('" +caname +   int res =sqlhelper. ExecuteNonQuery (SQL);    if (res > 0"    {    flag = true;  }   return flag;  }</span>           

The last is the Click event code that writes the button in the page code

<span style= "Font-size : 18px; " > protected void Button1_Click (Object Sender,eventargs e)   {   string caname = Textbox1.text;   bool B = Newcategorydao (). Insert (CAName);    Response.Write (b);    Gridview1.datasource = Newcategorydao (). SelectAll ();    Gridview1.databind ();  }</SPAN>        

After debugging no problem, run the program, the results such as

When we enter "anecdote" in the input box, Delete category where id= 5 -- "Click the button and the result is as follows:

When I saw this result, I was shocked, so easy to delete the data in the database? What is this for? We extract the SQL statements from the code and put the input into it to analyze the reasons, such as

This is just a simple example of SQL injection, and there are several forms of SQL injection. As long as you can get your database table name (for the master, this so Easy ), and your code is not security optimization, then I can arbitrarily change or even delete your data, above just delete a record, if you change the statement to Delete Category , then the entire table of data will be emptied, the consequences are very serious ah.

Solution:

One way to do this is to parameterize the input, and change the way the SQL statements are originally spliced into parameters passed into the SQL statement. Specifically, the Insert function is modified, and the corresponding function in the SQLHelper class is also rewritten, the code is as follows:

First look at how the SqlHelper function is rewritten:

Publicint ExecuteNonQuery (String sql, SqlParameter [] paras)    {   int Res    using (cmd =new SqlCommand (SQL, Getconn ()))    {    cmd. Parameters.addrange (paras);     res =cmd. ExecuteNonQuery ();   }   return res;                /span>                

Then the optimization code for the Insert function:

PublicBOOL Insert (String caname)  {   BOOL flag =False   String sql ="INSERT into category (name) VALUES (@caName)";  Sqlparameter[] Paras =New sqlparameter[]{    New SqlParameter ( "@caName", CAName)   };   int res = SqlHelper. ExecuteNonQuery (SQL, paras);    if (res > 0"    {    flag = true;  }   return flag;  }           /span>                

< Span lang= "en-US" > optimized after debugging No Problem, run the program with the following result:

What happens when we enter "anecdote" in the input box, Delete category where id=2 --"and then click the button? Please see:

Until now, I believe you have an intuitive understanding and understanding of SQL injection, when doing the system just know in the input box to enter an odd number of single quotation marks in the English state, will make your system error or even die, do not know that you can also by stitching SQL statements on the internal database operation, Therefore, the harm of SQL injection is not so profound understanding, now finally understand!

• This article from: Hobby Linux Technology Network
• This article link: http://www.ahlinux.com/safe/8831.html

SQL injection in layman's