Question

如何在输入参数中防止SQL攻击？不安全的字符（'“）

我有以下存储过程：

我想保护输入 - @NICKNAME_USER，@ PATWORD_USER

IF  EXISTS (SELECT * FROM sys.objects WHERE object_id = OBJECT_ID(N'[dbo].[SP_AUTH]') AND type in (N'P', N'PC'))
DROP PROCEDURE [dbo].[SP_AUTH]
GO

CREATE PROCEDURE [dbo].[SP_AUTH]    (@ACTION    INT = NULL,
                                     @NICKNAME_USER VARCHAR(250) = NULL,
                                     @PASSWORD_USER VARCHAR(250) = NULL)
AS
BEGIN TRY
    IF @ACTION = 'L'
         BEGIN

    SELECT  U.ID AS ID_USER, 
            U.NICKNAME AS NICKNAME
            FROM dbo.T_USERS AS U WITH (NOLOCK)
            WHERE U.NICKNAME = @NICKNAME_USER
            AND U.PASSWORD = @PASSWORD_USER
   END
END TRY
BEGIN CATCH

    DECLARE @ErrorMessage NVARCHAR(4000),
            @ErrorSeverity INT,
            @ErrorState INT

    SELECT 
        @ErrorMessage = ERROR_MESSAGE(),
        @ErrorSeverity = ERROR_SEVERITY(),
        @ErrorState = ERROR_STATE();

    RAISERROR (@ErrorMessage, -- Message text.
               @ErrorSeverity, -- Severity.
               @ErrorState -- State.
               );
END CATCH

Answer 1

仅使用带参数的过程将阻止您进行sql注入。有关msdn的更多信息，请here。

如何防止SQL攻击 - 在存储过程中输入参数

1 个答案: