SQL预编译防注入小测试
个人对SQL预编译的认识:
1、效率提升,对SQL语句编译一次可多次使用.避免了硬解析和软解析等步骤,当执行的语句上规模的时候性能差异还是很明显的。
2、安全提升,预编译之后的SQL语句,语义不会发生变化,安全性有相当大的提升。
using System; using System.Collections.Generic; using System.Linq; using System.Text; using System.Data.SqlClient; using System.Data; namespace PreSql { class Program { /* * create table test_table ( a nvarchar(20) ) insert into test_table(a) values('2');*/ const string conStr = @"Password=1qaz!QAZ;Persist Security Info=True;User ID=sa;Initial Catalog=IBatisNet;Data Source=WANGN\CR"; static void Main(string[] args) { Console.WriteLine("SqlJoin:"); SqlJoin(); Console.WriteLine(); Console.WriteLine("PreSqlTest"); PreSqlTest(); Console.WriteLine("Completed"); Console.Read(); } static void SqlJoin() { string sql = "select count(*) from test_table where a='{0}'"; string tmpSql = string.Format(sql, "1' or '1'='1"); string tmpSql2 = string.Format(sql, "1"); using (SqlConnection conn = new SqlConnection(conStr)) { if (conn.State != ConnectionState.Open) { conn.Open(); } SqlCommand com = new SqlCommand(tmpSql, conn); object obj = com.ExecuteScalar(); Console.WriteLine("SQL注入成功:" + obj.ToString()); SqlCommand com2 = new SqlCommand(tmpSql2, conn); object obj2 = com2.ExecuteNonQuery(); Console.WriteLine("正常应返回-1:" + obj2); } } static void PreSqlTest() { string sql = "select count(*) from test_table where a=@id"; using (SqlConnection conn = new SqlConnection(conStr)) { if (conn.State != ConnectionState.Open) { conn.Open(); } SqlCommand com = new SqlCommand(sql, conn); com.Parameters.Add(new SqlParameter { DbType = DbType.String, Size = 256, ParameterName = "@id", Value = "1 or 1=1" }); object obj = com.ExecuteScalar(); Console.WriteLine("SQL注入不成功:" + obj.ToString()); SqlCommand com2 = new SqlCommand(sql, conn); com2.Parameters.Add(new SqlParameter { DbType = DbType.String, Size = 256, ParameterName = "@id", Value = "1" }); object obj2 = com2.ExecuteNonQuery(); Console.WriteLine("正常应返回-1:" + obj2); } } } }
执行结果:
SqlJoin:
SQL注入成功:1
正常应返回-1:-1
PreSqlTest
SQL注入不成功:0
正常应返回-1:-1
Completed