在SQL查询中用双引号替换单引号
[英]Replacing single quotes with double quotes in SQL Query
问题描述
I am creating a vulnerable Windows Forms application using C# to practise SQL Injection and understand why this vulnerability happens in the first place. 
我正在使用C#创建一个易受攻击的Windows Forms应用程序,以练习SQL注入并理解为什么首先发生此漏洞。 I am aware that I should be using parameterised queries to develop a secure application. 我知道我应该使用参数化查询来开发安全的应用程序。
The application requires a user to enter their username and password in order to login. 该应用程序要求用户输入其用户名和密码才能登录。 The following code is responsible for dynamically generating an SQL query based on user's input: 以下代码负责根据用户输入动态生成SQL查询:
public SqlDataReader performLogin(String username_input, String password_input)
{
String username = username_input;
String password = password_input;
String sqlquery = "SELECT * FROM users where username='" + username + "' and password='" + password + "'";
SqlCommand query = new SqlCommand(sqlquery, conn);
SqlDataReader reader = query.ExecuteReader();
return reader;
}
The SQL Server database contains a username called 'admin', and I can login as that user without knowing their password by entering the following data in the username field: SQL Server数据库包含一个名为“ admin”的用户名,我可以通过在用户名字段中输入以下数据来以该用户身份登录而无需知道其密码:
admin'--
However, I would like to modify the dynamically generated SQL query so that I would have to enter double quotes (not two single quotes) instead of one single quote in order to login as admin: 但是,我想修改动态生成的SQL查询,以便我必须输入双引号(而不是两个单引号)而不是一个单引号才能以admin身份登录:
admin"--
I've tried replacing every double quote character with a single quote and every single quote with double quotes. 我尝试用单引号替换每个双引号字符,并用双引号替换每个单引号。 I've also tried replacing every single quote character with double quotes and escaping them as follows: 我还尝试过用双引号替换每个单引号字符,并按如下所示转义它们:
String sqlquery = "SELECT * FROM users where username=\"" + username + "\" and password=\"" + password + "\"";
String sqlquery = "SELECT * FROM users where username=@"" + username + "@" and password=@"" + password + "@"";
I've not been able to find a working solution yet. 我还没有找到一个可行的解决方案。 I either get syntax errors or the application crashes after I attempt to login. 尝试登录后,我收到语法错误或应用程序崩溃。
1 个解决方案
解决方案1
0 已采纳 2018-06-24 20:21:07
Why not just replace the username before passing it onto the query? 为什么不仅仅在将用户名传递给查询之前替换用户名?
string finalUsername = username.Contains("\"") ? username.Replace("\"", "'") : username;
string sqlQuery = "SELECT * FROM users where username='" + finalUsername + "' and password='" + password + "'";
If you wanted, you could even prevent the original vector: 如果需要,甚至可以阻止原始向量:
string finalUsername = username.Contains("\"") ? username.Replace("\"", "'") : (username.Contains("'") ? username.Replace("'", "") : username);
string sqlQuery = "SELECT * FROM users where username='" + finalUsername + "' and password='" + password + "'";
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.