参数化查询防止Sql注入
一对儿程序猿 2019-12-11
拼接sql语句会造成sql注入,注入演示
namespace WindowsFormsApp1
{
public partial class Form1 : Form
{
public Form1()
{
InitializeComponent();
}
private void button1_Click(object sender, EventArgs e)
{
FillData(dataGridView1);
}
private void FillData(DataGridView dataGrid)
{
string connStr = ConfigurationManager.ConnectionStrings["Northwind"].ConnectionString;
using (SqlConnection conn = new SqlConnection(connStr))
{
string sql = "select * from Employees where EmployeeID=\‘" + textBox1.Text + "\‘";
using (SqlCommand sqlCommand = new SqlCommand(sql, conn))
{
using (SqlDataAdapter sqlData = new SqlDataAdapter(sqlCommand))
{
DataTable dataTable = new DataTable();
sqlData.Fill(dataTable);
dataGrid.DataSource = dataTable;
}
}
}
}
}
}正常生成的Sql语句应该为
select * from Employees where EmployeeID=‘1‘
输入sql实际生成的Sql语句为
select * from Employees where EmployeeID=‘‘ or 1=1 --‘
所有的数据都查询出来了
防止注入漏洞应该用SqlParameter做参数化查询
namespace WindowsFormsApp1
{
public partial class Form1 : Form
{
public Form1()
{
InitializeComponent();
}
private void button1_Click(object sender, EventArgs e)
{
FillData(dataGridView1);
}
private void FillData(DataGridView dataGrid)
{
string connStr = ConfigurationManager.ConnectionStrings["Northwind"].ConnectionString;
using (SqlConnection conn = new SqlConnection(connStr))
{
string sql = "select * from Employees where ";
using (SqlCommand sqlCommand = new SqlCommand(sql, conn))
{
SqlParameter[] sqlParameter = { new SqlParameter("@EmployeeID", textBox1.Text) };
sqlCommand.Parameters.AddRange(sqlParameter);
using (SqlDataAdapter sqlData = new SqlDataAdapter(sqlCommand))
{
DataTable dataTable = new DataTable();
sqlData.Fill(dataTable);
dataGrid.DataSource = dataTable;
}
}
}
}
}
}再输入sql注入会报错
如果用在登录或者未经授权的查询时很有用
重新整理代码
using System;
using System.Data;
using System.Windows.Forms;
using System.Data.SqlClient;
using System.Configuration;
namespace WindowsFormsApp1
{
public partial class Form1 : Form
{
string connStr = ConfigurationManager.ConnectionStrings["Northwind"].ConnectionString;
public Form1()
{
InitializeComponent();
}
private void button1_Click(object sender, EventArgs e)
{
string sql = "select * from Employees where ";
SqlParameter[] sqlParameter = { new SqlParameter("@EmployeeID", textBox1.Text) };
FillGridView(sql, dataGridView1, sqlParameter);
}
private void FillGridView(string sql, DataGridView dataGrid, SqlParameter[] sqlParameter = null)
{
using (SqlConnection conn = new SqlConnection(connStr))
{
using (SqlCommand sqlCommand = new SqlCommand(sql, conn))
{
if (sqlParameter != null)
{
sqlCommand.Parameters.AddRange(sqlParameter);
}
using (SqlDataAdapter sqlDataAdapter = new SqlDataAdapter(sqlCommand))
{
DataTable dataTable = new DataTable();
sqlDataAdapter.Fill(dataTable);
dataGrid.DataSource = dataTable;
}
}
}
}
}
} 
相关推荐
ALiDan 0喜欢 / 0评论 2020-07-27
qshpeng 0喜欢 / 0评论 2020-07-26
世樹 0喜欢 / 0评论 2020-07-17
chenjiazhu 0喜欢 / 0评论 2020-07-08
一对儿程序猿 0喜欢 / 0评论 2020-07-04
明月清风精进不止 0喜欢 / 0评论 2020-06-13
godfather 0喜欢 / 0评论 2020-06-13
ItBJLan 0喜欢 / 0评论 2020-06-11
tanrong 0喜欢 / 0评论 2020-06-11
ALiDan 0喜欢 / 0评论 2020-06-11
码墨 0喜欢 / 0评论 2020-06-09
世樹 0喜欢 / 0评论 2020-06-05
lt云飞扬gt 0喜欢 / 0评论 2020-06-03
godfather 0喜欢 / 0评论 2020-06-03
qshpeng 0喜欢 / 0评论 2020-05-11
明月清风精进不止 0喜欢 / 0评论 2020-05-07
gwn00 0喜欢 / 0评论 2020-05-07
sixyearsorless 0喜欢 / 0评论 2020-05-07
一对儿程序猿 0喜欢 / 0评论 2020-05-06
liuyang000 0喜欢 / 0评论 2020-04-20
一对儿程序猿 0喜欢 / 0评论 2020-04-20
ItBJLan 0喜欢 / 0评论 2020-04-19
sunlizhen 0喜欢 / 0评论 2020-04-10
bluetears 0喜欢 / 0评论 2020-04-09
liuyang000 0喜欢 / 0评论 2020-04-07
dayi 0喜欢 / 0评论 2020-03-28
wkwanglei 0喜欢 / 0评论 2020-03-27
qshpeng 0喜欢 / 0评论 2020-03-26
lightlanguage 0喜欢 / 0评论 2020-03-24
sswqycbailong 0喜欢 / 0评论 2020-03-07
明月清风精进不止 0喜欢 / 0评论 2020-03-06
qshpeng 0喜欢 / 0评论 2020-03-06
lt云飞扬gt 0喜欢 / 0评论 2020-03-04
liuyang000 0喜欢 / 0评论 2020-03-03
xuanlvhaoshao 0喜欢 / 0评论 2020-03-01
gwn00 0喜欢 / 0评论 2020-03-01
xuanlvhaoshao 0喜欢 / 0评论 2020-02-21
seteor 0喜欢 / 0评论 2020-02-20
snowguy 0喜欢 / 0评论 2020-02-18
明月清风精进不止 0喜欢 / 0评论 2020-02-17
ALiDan 0喜欢 / 0评论 2020-02-16
gwn00 0喜欢 / 0评论 2020-02-16
tanrong 0喜欢 / 0评论 2020-02-15
bluet00 0喜欢 / 0评论 2020-02-14
gwn00 0喜欢 / 0评论 2020-02-14
gwn00 0喜欢 / 0评论 2020-02-01