SQL注入与参数化查询在ASP.NET [英] SQL Injection with Parameterized Queries in ASP.NET

问题描述

所以我有一个有点问题。在一个网站我发展我让人们在键入一个地址，一旦他们打保存按钮，他们键入地址被存储在我的数据库。

So I have a bit of a problem. On a website I am developing I allow people to type in an address, once they hit a save button the address they type gets stored in my database.

我是（误）的IM pression，使用参数化查询，将有助于prevent SQL注入下，这里是我的code一旦preSS拯救

I was (mistakenly) under the impression that using parameterized queries would help prevent SQL injection, here is my code once they press "save"

SqlConnection Conn = new SqlConnection(@"Data Source=**********;Initial Catalog=********;Persist Security Info=True;User ID=******;Password=*********");
SqlCommand updateMeeting = new SqlCommand(@"UPDATE [*******].[dbo].[**********] SET Title=@title, Date=@date, Location=@location, Announcement=@announcement WHERE Title = '" + commands[1] + "' AND Date = '" + Convert.ToDateTime(commands[2]) + "' AND Location = '" + commands[3] + "'", Conn);
updateMeeting.Parameters.AddWithValue("@title", newTitle);
updateMeeting.Parameters.AddWithValue("@date", newDate);
updateMeeting.Parameters.AddWithValue("@location", newLocation);
updateMeeting.Parameters.AddWithValue("@announcement", newBody);
updateMeeting.Connection.Open();
updateMeeting.ExecuteNonQuery();
updateMeeting.Connection.Close();

newTitle的newDate，newLocation和newBody来自其关联文本框只花了字符串变量。

newTitle, newDate, newLocation and newBody are just string variables taken from their associated text boxes.

放心，命令阵列消毒。这不是在我的注入问题发挥作用。

Rest assured that the commands array is sanitized. That's not where my injection problem comes into play.

，但如果我输入下面进入我的位置文本框中注入攻击成功，一排被添加到我的数据库

and yet if I enter the following into my "location" text box the injection attack succeeds and a row gets added to my database

');INSERT INTO [********].[dbo].[*********] (Title) VALUES ('Injection'); --

所以很明显，我错过了一些东西或者我不理解这些参数化查询是如何工作的。是不是这件事的全部要点，以确保为位置的VARCHAR值仅仅是'）; INSERT INTO [****] [DBO] [******]（标题）。 VALUES（'注入'）; -

So clearly I've missed something or I'm not understanding how these parameterized queries work. Isn't the entire point of this thing to make sure that the VarChar value for "location" is simply "');INSERT INTO [****].[dbo].[******] (Title) VALUES ('Injection'); --"

如果不注入攻击失败？

推荐答案

您真的很接近 - 你有你参数与更新值，但不是在你的 WHERE 子句。尝试这样的事情，而不是：

You're really close - you have parameterized the values you are updating with, but not the values in your WHERE clause. Try something like this instead:

SqlConnection Conn = new SqlConnection(@"Data Source=**********;Initial Catalog=********;Persist Security Info=True;User ID=******;Password=*********");
SqlCommand updateMeeting = new SqlCommand(@"
    UPDATE [*******].[dbo].[**********] 
    SET Title=@title, 
        Date=@date, 
        Location=@location, 
        Announcement=@announcement 
    WHERE Title = @commands1
        AND Date = @commands2
        AND Location = @commands3",
        Conn);
updateMeeting.Parameters.AddWithValue("@title", newTitle);
updateMeeting.Parameters.AddWithValue("@date", newDate);
updateMeeting.Parameters.AddWithValue("@location", newLocation);
updateMeeting.Parameters.AddWithValue("@announcement", newBody);
updateMeeting.Parameters.AddWithValue("@commands1", commands[1]);
updateMeeting.Parameters.AddWithValue("@commands2", Convert.ToDateTime(commands[2]));
updateMeeting.Parameters.AddWithValue("@commands3", commands[3]);
updateMeeting.Connection.Open();
updateMeeting.ExecuteNonQuery();
updateMeeting.Connection.Close();

这篇关于SQL注入与参数化查询在ASP.NET的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！