避免SQL注入攻击 [英] Avoiding an Sql injection attack

问题描述

我有一个asp.net应用程序。在我有这个code：

I have an asp.net application. In which i have this code:

 using (Data.connexion)
    {
        string queryString = @"select id_user , nom, prenom, mail, login, mdp, last_visite, id_group, id_user_status from USERS where login =@login and mdp=@mdp";
        SqlCommand command = new SqlCommand(queryString, Data.connexion);
        command.Parameters.AddWithValue("@login", _login);
        command.Parameters.AddWithValue("@mdp", _password.GetHashCode().ToString());
        try
        {
            SqlDataReader reader = command.ExecuteReader();
            do
            {
                while (reader.Read())
                {
                    return View("Success");
                }
            } while (reader.NextResult());

        }
        catch {  }
    }

当我尝试使用此登录''或1 = 1 SQL注入攻击 - ，攻击失败。但如果我用这一个改变的片段：

When i try a Sql injection attack using this login '' or 1=1 -- , the attack is failed. but if i change the snippet by this one :

 using (Data.connexion)
            {
                string queryString = @"select id_user , nom, prenom, mail, login, mdp, last_visite, id_group, id_user_status from USERS where login =" + _login + " and mdp=" + _password.GetHashCode().ToString();
                SqlCommand command = new SqlCommand(queryString, Data.connexion);
              //  command.Parameters.AddWithValue("@login", _login);
               // command.Parameters.AddWithValue("@mdp", _password.GetHashCode().ToString());
                try
                {
                    SqlDataReader reader = command.ExecuteReader();
                    do
                    {
                        while (reader.Read())
                        {
                            return View("Success");
                        }
                    } while (reader.NextResult());

                }
                catch {  }
            }

我重定向到视图成功因此攻击succed。

I'm redirected to the view success so the attack is succed.

编码的两种方法之间的区别是什么？什么是prevent的最佳途径，避免SQL注入攻击？

What is the difference between the two ways of coding? What are the best ways to prevent and avoid an Sql injection attack?

推荐答案

始终使用命令参数，以避免SQL注入攻击。 SQL注入是通过命令参数自动处理。您不必担心SQL注入，如果你使用的命令参数。

Always use command parameters to avoid sql injection. Sql injections are handled by Command Parameter automatically. You don't need to worry about sql injection if you use command parameters.

在您不使用命令参数，该参数值都只是插入SQL查询，而不处理SQL注入。但是，当你使用命令参数，ADO.Net处理SQL注入你。

When you don't use command parameters, the parameters' values are simply inserted in sql query without handling sql injection. But when you use command parameters, ADO.Net handles sql injection for you.

这篇关于避免SQL注入攻击的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！