不要相信使用Parameter安全调用分页存贮过程会没有SQL注入:
如:
DbParameter[] dbParams = {
Data.MakeInParam( " @PageIndex " , (DbType)SqlDbType.Int, 4 , pageIndex),
Data.MakeInParam( " @PageSize " , (DbType)SqlDbType.Int, 4 , pageSize),
Data.MakeInParam( " @Tables " , (DbType)SqlDbType.NVarChar, 1000 , tableName),
Data.MakeInParam( " @Fields " , (DbType)SqlDbType.NVarChar, 2000 , fieldList),
Data.MakeInParam( " @Where " , (DbType)SqlDbType.NVarChar, 2000 , where ),
Data.MakeInParam( " @GroupBy " , (DbType)SqlDbType.NVarChar, 2000 , groupBy),
Data.MakeInParam( " @OrderBy " , (DbType)SqlDbType.NVarChar, 1000 , orderBy),
Data.MakeOutParam( " @ReturnCount " , (DbType)SqlDbType.Int, totalRecords),
};
list = Data.GetDbDataReader( " getPagerROWOVER " , dbParams).ToList < TResult > ();
这种调用也存在SQL注入.
我想查询News表中Title存在"博客园"的文章:
PageIndex = 1
PageSize = 20
Tables = "News"
Fields = "*"
Where = "Title like '%博客园%'"
GroupBy = ""
OrderBy = "NewsID Desc"
这种写法是正确的。
当用户输入“''%' or 1=1;--” 一样存在SQL注入。
当拼接Where值的时候取到文本框的值一定也要过滤非法字符。
SQL会自动组合成:
select * from News where Title like '%博客园%' 正确
select * from News where Title like '''%''''''%''' or 1=1;--%'' 存在注入
完