如何防止Visual Basic 2012中的以下代码上的SQL注入
[英]How to prevent SQL Injection on following code in Visual Basic 2012
问题描述
I"m confused on how to prevent SQL injection, I've looked online. Do I use a store procedure, or do I Create variables, Im just completely lost. 
我一直在网上寻找如何防止SQL注入的方法感到困惑。我使用存储过程,还是创建变量,我完全迷失了。
Try
connection.Open()
’we got here so our connection to the db is sound
chosen = cboBooks.SelectedIndex
id = customerList(cboCustomers.SelectedIndex)
isbn = isbnList(cboBooks.SelectedIndex)
If number <= qty Then
Dim sql As String
sql = "INSERT INTO purchase(customer_id, ISBN, store_id, quantity)
VALUES(" & id & ", " & isbn & ", 1, " & number & ");"
Dim cmd As New SqlCommand(sql, connection)
Dim rows As Integer
rows = cmd.ExecuteNonQuery()
If rows >= 1 Then
’now update the inventory to reflect a sale
sql = "UPDATE inventory SET quantity = (quantity -" & number & ")
WHERE inventory.ISBN = " & isbn & " AND store_id = 1"
’define and execute the query command
Dim cmd2 As New SqlCommand(sql, connection)
rows = cmd2.ExecuteNonQuery
2 个解决方案
解决方案1
2 已采纳 2014-04-11 14:14:37
Whenever you are concatinating sql and use variables that the user has direct access to, you are in danger of SQL Injection. 每当您伪装sql并使用用户可以直接访问的变量时,都存在SQL注入的危险。
In your case the fix might look something like this: 在您的情况下,修复程序可能如下所示:
sql = "INSERT INTO purchase(customer_id, ISBN, store_id, quantity)
VALUES(@id, @isbn , 1, @number);"
Dim cmd As New SqlCommand(sql, connection)
cmd.Parameters.AddWithValue("@id", id )
cmd.Parameters.AddWithValue("@isbn", isbn )
cmd.Parameters.AddWithValue("@number", number)
Dim rows As Integer
rows = cmd.ExecuteNonQuery()
The second query would look like this: 第二个查询如下所示:
sql = "UPDATE inventory SET quantity = (quantity - @number)
WHERE inventory.ISBN = @isbn AND store_id = 1"
Dim cmd2 As New SqlCommand(sql, connection)
cmd2.Parameters.AddWithValue("@number", id )
cmd2.Parameters.AddWithValue("@isbn", isbn )
rows = cmd2.ExecuteNonQuery
By using parameters, the string is escaped for any would be malicious code. 通过使用参数,可以将字符串转义为任何恶意代码。
Other good references: 其他良好参考:
What is SQL injection? 什么是SQL注入?
How does the SQL injection from the "Bobby Tables" XKCD comic work? 来自“ Bobby Tables” XKCD漫画的SQL注入如何工作?
EDIT: 编辑:
As @AndyLester points out in the comments, what I am trying to suggest is that using user data to concatenate into your executable code is DANGEROUS! 正如@AndyLester在评论中指出的那样,我试图建议的是,使用用户数据连接到您的可执行代码中是危险的!
解决方案2
2 2014-04-11 14:27:45
To prevent SQL injections, you can achieve it in two ways. 为了防止SQL注入,您可以通过两种方式实现它。
Validating user input: Using the appropriate types prevents SQL injections naturally.
验证用户输入:使用适当的类型自然可以防止SQL注入。 For instance, if customer_id, store_id, and quantity are all integers, then they are safe and you don't need to worry about them. 例如,如果customer_id,store_id和数量都是整数,则它们是安全的,您不必担心它们。 As for the ISBN (I think you use string?), if you validate it to make sure it only contains digits and hyphens, then it is also safe. 至于ISBN(我认为您使用字符串吗?),如果您对其进行验证以确保它仅包含数字和连字符,那么它也是安全的。 Using parameterized queries: This is a great way to prevent SQL injections and also reduce possible bugs in queries.
使用参数化查询:这是防止SQL注入并减少查询中可能的错误的好方法。
A good code uses both technics. 好的代码会同时使用两种技术。
You didn't specify the language/platform you're using, but it looks like VB.Net. 您没有指定使用的语言/平台,但看起来像VB.Net。 Here is how you add parameters to your query: 这是向查询添加参数的方式:
sql = "INSERT INTO purchase(customer_id, ISBN, store_id, quantity)
VALUES(@id, @isbn , 1, @quantity);"
Dim cmd As New SqlCommand(sql, connection)
cmd.Parameters.AddWithValue("@id", id)
cmd.Parameters.AddWithValue("@isbn", isbn)
cmd.Parameters.AddWithValue("@quantity", number)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.