SQL injection in layman's

before doing the student information management system and the computer room charge system,forSQLthe problem of injection is already commonplace,but there's no real, vivid understanding of the image.SQLWhat the hell is injected?.It was not until this time that the beef brisket was under the teacher's example.,I understand.SQLIt's really dangerous to inject..

Questions raised:

Let's start by constructing a simple program to add news categories, add a TextBox control to a Dynamic Web page, a Button control, a GridView control. The layout looks like this:

Then write code for the control as follows:

First Look SQLHelper class to perform the SQL function of the statement

<span style= "FONT-SIZE:18PX;" >public int ExecuteNonQuery (String sql)        {            int res;            Try            {                cmd = new SqlCommand (Sql,getconn ());                res = cmd. ExecuteNonQuery ();            }            catch (Exception ex)            {                throw ex;            }            Finally {                if (conn. State ==connectionstate.open)                {                    Conn. Close ();                }            }            return res;        } </span>

then the function used to insert the data Insert

<span style= "FONT-SIZE:18PX;" > Public bool Insert (string caname)        {            BOOL flag = FALSE;            String sql = "Insert intocategory (name) VALUES ('" +caname + "')";            int res =sqlhelper. ExecuteNonQuery (SQL);            if (res > 0)            {                flag = true;            }            return flag;        } </span>

Finally, the Click event code that writes the button in the page code

<span style= "FONT-SIZE:18PX;" > protected void Button1_Click (Object Sender,eventargs e)        {            string caname = TextBox1.Text;            BOOL B = Newcategorydao (). Insert (caname);            Response.Write (b);            Gridview1.datasource = Newcategorydao (). SelectAll ();            Gridview1.databind ();        } </span>

After debugging no problem, run the program, the results such as

when we enter "anecdote" in the input box Delete category where id=5--"After clicking the button, the result is as follows:

when I saw this result, I was shocked, so easy to delete the data in the database? What is this for? We extract the SQL statements from the code and put the input into it to analyze the reasons, such as

It's just SQL injection of a simple example, there are many forms of SQL injected. As long as you can get your database table name (for the master, this so Easy), and your code is not security optimization, then I can arbitrarily change or even delete your data, above just delete a record, if the statement to change the Delete Category , then the entire table of data will be emptied, the consequences are very serious ah.

Solution:

one way is to parameterize the input content, and the original stitching SQL The statement becomes the way to SQL the arguments passed in the statement. Specifically, the insert function is modified, and the corresponding function in the SQLHelper class is also rewritten, the code is as follows:

First look at how the SqlHelper function is rewritten:

<span style= "FONT-SIZE:18PX;" >public int ExecuteNonQuery (String sql, SqlParameter [] paras)        {            int res;            using (cmd =new SqlCommand (SQL, Getconn ()))            {                cmd. Parameters.addrange (paras);                Res =cmd. ExecuteNonQuery ();            }            return res;        } </span>

then the optimization code for the Insert function:

<span style= "FONT-SIZE:18PX;" > Public bool Insert (string caname)        {            BOOL flag = FALSE;            String sql = "INSERT into category (name) VALUES (@caName)";            Sqlparameter[] Paras = new sqlparameter[]{                new SqlParameter ("@caName", CAName)            };            int res = SqlHelper. ExecuteNonQuery (SQL, paras);            if (res > 0)            {                flag = true;            }            return flag;        } </span>

after optimization debugging no problem, run the program, the results are as follows:

we enter " anecdote " in the input box, Delete category where id=2 --"and then click the button, what results will appear? Please see:

Until now, I believe you have an intuitive understanding and understanding of SQL injection, when doing the system just know in the input box to enter an odd number of single quotation marks in the English state, will make your system error or even die, do not know that you can also by stitching SQL statements on the internal database operation, Therefore, the harm of SQL injection is not so profound understanding, now finally understand the original problem is very serious ah!

SQL injection in layman's