一, 定义:所谓SQL注入攻击是应用程序开发人员未预期地把SQL代码传入到应用程序的过程,只有那些直接使用用户提供的值构造SQL语句的应用程序才会受影响.

  例如原SQL代码为:

  select Orders.CustomerID,Orders.OrderID,Count(UnitPrice) as Items,SUM(UnitPrice*Quantity) as Total from Orders INNER JOIN [Order Details]on Orders.OrderID=[Order Details].OrderID where Orders.CustomerID='"+txtId.Text+"' GROUP BY Orders.OrderID,Orders.CustomerID

  如果在txtId.Text所在的文本框中输入字符串:ALFKI' or '1'='1将会返回所有的订单记录,即便那些订单不是由ALFKI创建的,因为对每一行而言,1=1总是为true.

解决方案:采用参数化命令:

  如使用参数化命令重写前面的代码为:

 protected void btnQuery_Click(object sender, EventArgs e)
{
string conStr = WebConfigurationManager.ConnectionStrings["Northwind"].ConnectionString;
SqlConnection con = new SqlConnection(conStr);
con.Open();
string strSql = "select Orders.CustomerID,Orders.OrderID,Count(UnitPrice) as Items,SUM(UnitPrice*Quantity) as Total from Orders INNER JOIN [Order Details]on Orders.OrderID=[Order Details].OrderID where Orders.CustomerID=@CustomerID GROUP BY Orders.OrderID,Orders.CustomerID";
SqlCommand cmd = new SqlCommand(strSql, con);
cmd.Parameters.AddWithValue("@CustomerID", txtId.Text.Trim().ToString());
SqlDataReader reader = cmd.ExecuteReader();
GridView1.DataSource = reader;
GridView1.DataBind();
reader.Close();
con.Close();
}

  这样就可以避免SQL注入攻击.

  

posted on 2011-10-26 21:56  永远的麦子  阅读(547)  评论(0编辑  收藏  举报