堆栈内存溢出
  简体   繁体   English

真的对sql注入感到困惑

[英]Really confused about sql injection

 原文  2016-07-18 04:51:18       c#/ sql/ .net/ sql-injection

问题描述

Got this detail page about bug that might lead to sql injection 获得了有关可能导致SQL注入的错误的详细页面

URL encoded GET input classid was set to 1 AND 3*2*1=6 AND 608=608 URL编码的GET输入classid设置为1 AND 3 * 2 * 1 = 6 AND 608 = 608

Tests performed: 进行的测试:

  • 1*1*1*1 => TRUE 1 * 1 * 1 * 1 =>是
  • 1*608*603*0 => FALSE 1 * 608 * 603 * 0 =>假
  • 11*5*2*999 => FALSE 11 * 5 * 2 * 999 =>假
  • 1*1*1 => TRUE 1 * 1 * 1 =>是
  • 1*1*1*1*1*1 => TRUE 1 * 1 * 1 * 1 * 1 * 1 =>是
  • 11*1*1*0*1*1*608 => FALSE 11 * 1 * 1 * 0 * 1 * 1 * 608 =>假
  • 1 AND 5*4=20 AND 608=608 => TRUE 1 AND 5 * 4 = 20 AND 608 = 608 => TRUE
  • 1 AND 5*4=21 AND 608=608 => FALSE ... (line truncated) 1 AND 5 * 4 = 21 AND 608 = 608 => FALSE ...(行被截断)

And this is the source code that might cause the matter: 这是可能导致此问题的源代码: 

if (!string.IsNullOrEmpty(Request.QueryString["classid"]))
{
    string tSql = @" SELECT  [Award_ID],[Award_Name],[Award_Info],[Award_Pic],[Award_Num],[Award_MoneyCost],[Award_MoneyGet],[Award_Type],[Award_AddDate],[Award_Hot],[Award_OnLineTime],[AwardProP],[PrizeSlidePic],[PrizeDetailPic],[PrizeBigSlidePic],[IsTop],[ClassID] FROM  dbo.Web_Award WHERE ClassID={0} ";

    DataTable data = DbSession.Default.FromSql(string.Format(tSql, Request.QueryString["classid"])).ToDataTable();

    if (data.Rows.Count > 0)
    {
        rptList.DataSource = data;
        rptList.DataBind();
    }
}
else
{
    string tSql = @" SELECT  [Award_ID],[Award_Name],[Award_Info],[Award_Pic],[Award_Num],[Award_MoneyCost],[Award_MoneyGet],[Award_Type],[Award_AddDate],[Award_Hot],[Award_OnLineTime],[AwardProP],[PrizeSlidePic],[PrizeDetailPic],[PrizeBigSlidePic],[IsTop],[ClassID] FROM  dbo.Web_Award  ";

    DataTable data = DbSession.Default.FromSql(tSql).ToDataTable();

    if (data.Rows.Count > 0)
    {
        rptList.DataSource = data;
        rptList.DataBind();
    }
}

Can anyone tell me how to deal with this...thanks a lot! 谁能告诉我该如何处理...非常感谢!

Now i have modifeid my code to 现在我修改了我的代码 

if (!string.IsNullOrEmpty(Request.QueryString["classid"]))
        {
            //string tSql = @" SELECT  [Award_ID],[Award_Name],[Award_Info],[Award_Pic],[Award_Num],[Award_MoneyCost],[Award_MoneyGet],[Award_Type],[Award_AddDate],[Award_Hot],[Award_OnLineTime],[AwardProP],[PrizeSlidePic],[PrizeDetailPic],[PrizeBigSlidePic],[IsTop],[ClassID] FROM  dbo.Web_Award WHERE ClassID={0} ";
            string tSql = "SELECT [Award_ID],[Award_Name],[Award_Info],[Award_Pic],[Award_Num],[Award_MoneyCost],[Award_MoneyGet],[Award_Type],[Award_AddDate],[Award_Hot],[Award_OnLineTime],[AwardProP],[PrizeSlidePic],[PrizeDetailPic],[PrizeBigSlidePic],[IsTop],[ClassID] FROM dbo.Web_Award WHERE ClassID = @ClassID";
            //DataTable data = DbSession.Default.FromSql(string.Format(tSql, Request.QueryString["classid"])).ToDataTable();
            SqlConnection connection = new SqlConnection("Server=(local);Integrated Security=SSPI;database=DaysQP");
            connection.Open();
            SqlCommand command = new SqlCommand(tSql, connection);
            command.Parameters.Add(new SqlParameter("@ClassId", System.Data.SqlDbType.Int));
            command.Parameters["@ClassID"].Value = 1;
            using (SqlDataReader dr = command.ExecuteReader())
            {
                var data = new DataTable();
                data.Load(dr);
                if (data.Rows.Count > 0)
                {
                    rptList.DataSource = data;
                    rptList.DataBind();
                }
            }
            connection.Close();
        }
        else
        {
            string tSql = @" SELECT  [Award_ID],[Award_Name],[Award_Info],[Award_Pic],[Award_Num],[Award_MoneyCost],[Award_MoneyGet],[Award_Type],[Award_AddDate],[Award_Hot],[Award_OnLineTime],[AwardProP],[PrizeSlidePic],[PrizeDetailPic],[PrizeBigSlidePic],[IsTop],[ClassID] FROM  dbo.Web_Award  ";
            DataTable data = DbSession.Default.FromSql(tSql).ToDataTable();
            if (data.Rows.Count > 0)
            {
                rptList.DataSource = data;
                rptList.DataBind();
            }
        }

But the problem still exists.. 但是问题仍然存在。

Finally sovled the problem by using parameterized queries! 最后使用参数化查询解决了这个问题! 

if (!string.IsNullOrEmpty(Request.QueryString["classid"]))
{   
    int number;
    bool result = Int32.TryParse(Request.QueryString["classid"], out number);

if (result == false)
{
    return;
}

//string tSql = @" SELECT  [Award_ID],[Award_Name],[Award_Info],[Award_Pic],[Award_Num],[Award_MoneyCost],[Award_MoneyGet],[Award_Type],[Award_AddDate],[Award_Hot],[Award_OnLineTime],[AwardProP],[PrizeSlidePic],[PrizeDetailPic],[PrizeBigSlidePic],[IsTop],[ClassID] FROM  dbo.Web_Award WHERE ClassID={0} ";
string tSql = "SELECT [Award_ID],[Award_Name],[Award_Info],[Award_Pic],[Award_Num],[Award_MoneyCost],[Award_MoneyGet],[Award_Type],[Award_AddDate],[Award_Hot],[Award_OnLineTime],[AwardProP],[PrizeSlidePic],[PrizeDetailPic],[PrizeBigSlidePic],[IsTop],[ClassID] FROM dbo.Web_Award WHERE ClassID = @ClassID";
 //DataTable data = DbSession.Default.FromSql(string.Format(tSql, Request.QueryString["classid"])).ToDataTable();

SqlConnection connection = (SqlConnection)DbSession.Default.CreateConnection();
//SqlConnection("Server=(local);Integrated Security=SSPI;database=DaysQP");
connection.Open();
SqlCommand command = new SqlCommand(tSql, connection);
command.Parameters.Add(new SqlParameter("@ClassId", System.Data.SqlDbType.Int));
command.Parameters["@ClassID"].Value = number;
using (SqlDataReader dr = command.ExecuteReader())
{
    var data = new DataTable();
    data.Load(dr);
    if (data.Rows.Count > 0)
    {
        rptList.DataSource = data;
        rptList.DataBind();
    }
}
connection.Close();

} }

1 个解决方案

解决方案1
 3 已采纳  2016-07-18 05:23:42

The potential for injection would be here: 注射的潜力将在这里: 

string tSql = @" SELECT  [Award_ID],[Award_Name],[Award_Info],[Award_Pic],[Award_Num],[Award_MoneyCost],[Award_MoneyGet],[Award_Type],[Award_AddDate],[Award_Hot],[Award_OnLineTime],[AwardProP],[PrizeSlidePic],[PrizeDetailPic],[PrizeBigSlidePic],[IsTop],[ClassID] FROM  dbo.Web_Award WHERE ClassID={0} ";
DataTable data = DbSession.Default.FromSql(string.Format(tSql, Request.QueryString["classid"])).ToDataTable();

You're expecting the query to return Web_Award table records whose classId matches Request.QueryString["classid"] 您期望查询返回其classIdRequest.QueryString["classid"]匹配的Web_Award表记录

What happens if the value of Request.QueryString["classid"] is something like: 如果Request.QueryString["classid"]值类似于: 

1 or 1=1

then the query becomes: 然后查询变为: 

select award_id,..... from web_awards where classId=1 or 1=1

and you end up returning data that you never meant to. 最终您将返回原本不希望的数据。

This, in essence, is sql injection which you probably read up a bit more about. 从本质上讲,这是sql注入,您可能已阅读了更多有关它。 Using stored procedures or parameterized queries prevents this sort of attack. 使用存储过程或参数化查询可防止此类攻击。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 对依赖注入感到困惑 - Confused about dependency injection 对Sql Server中的索引感到困惑 - Confused about Index in Sql Server ASP.net初学者真的对StaticObjects及其声明方式感到困惑 - ASP.net beginner really confused about StaticObjects and how to declare it 有关SQL注入和参数化查询的问题 - Questions about SQL injection and Parameterised Queries 什么时候担心SQL注入保护 - When to worry about SQL injection protection 我对在C#和MVC中使用NEW关键字感到非常困惑 - I am really confused about NEW keyword use in C# and MVC 困惑于SOLID和Dependecy Injection - Confused with SOLID and Dependecy Injection 在依赖注入中感到困惑 - Confused in Dependency Injection 对数组中的BinarySearch感到困惑 - Confused about BinarySearch in array 对DataGridView感到困惑 - Confused about DataGridView
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM