SQL命令中使用的特殊元素的中和不正确（'SQL注入'） [英] Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

问题描述

你好团队，



请帮我解决veracode中的这个Sql Injection缺陷，并参考下面的代码。



源代码：



flaws @ both com.CommandText = cmdText;

Hello team,

please help me with this Sql Injection flaw in veracode and refer below code.

source code:

flaws @ both com.CommandText = cmdText;

try
                {
                    connOle.Open();
                    OleDbCommand com = connOle.CreateCommand();

                    string cmdText = "DROP TABLE Report";

                    com.CommandText = cmdText;
                    com.ExecuteNonQuery();//flaw at this line

                    cmdText = "CREATE TABLE Report (Datum Text,VG_UG Text,NameVN Text,VstNr Integer,Sti Text,ArtEnt Text,ArtPr Text,Prov float)";
                    com.CommandText = cmdText;//flaw at this line

                    com.ExecuteNonQuery();

                    int i=0;
                    foreach(Calc calc in ar)
                    {

推荐答案

这与SQL注入没有任何关系：它只是一个创建表格的简单字符串。



但是，并非所有系统都支持TEXT数据类型：您可能需要使用NVARCHAR - 但如果不确切知道OLEDB连接的是什么，我们就不能确切地说。



首先将该代码放入try-catch块并在调试器中查找正在生成的错误消息。可能是表已经存在，或者存在任何其他错误。

That has nothing at all to do with SQL injection: it's just a simple string creating a table.

However, not all systems support a TEXT datatype: you may need to use NVARCHAR instead - but without knowing exactly what your OLEDB is connecting to, we can't say exactly.

Start by putting that code into a try-catch block and looking in the debugger at exactly what error message is being generated. It could be that the table exists already, or any of loads of other errors.

不确定你要做什么，但你不能创建那样的表。要创建表，您需要为每列指定正确的数据类型，依此类推。请查看语法 [ ^ ]（如果是SQL Server）



说到这一点，首先放下桌子然后再创建它就没什么意义了。不知怎的，这看起来像是在试图清空桌子。如果这是您的目标，请使用删除 [ ^ ]或 TRUNCATE TABLE [ ^ ]。但即便如此，如果这是一个多用户数据库，其他人会看到你提交后所做的更改...



EDIT



第一次声明很可能是第一次因为你没有桌子掉落而失败...



但是如上所述，即时创建或删除永久表格并不常见

Not sure what you're trying to do but you cannot create table like that. In order to create a table you need to specify proper data types for each column and so on. Have a look at the syntax[^] (if SQL Server)

Having that said, it makes even less sense to first drop the table and then create it. Somehow this looks like you're trying to empty the table. If that is your goal, use either DELETE[^] or TRUNCATE TABLE[^]. But even then remember that if this is a multi user database, other people see the changes you've made as soon as they are committed...

EDIT

The first statement most likely fails on the first time since you don't have a table to drop...

But as said it's not common at all to create or drop permanent tables on-the-fly

这篇关于SQL命令中使用的特殊元素的中和不正确（'SQL注入'）的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！