MyI创建了一个应该从数据中收集信息的表单。这个数据可能包括随机字符,包括“'等等。我的问题是如何在没有sql注入攻击的情况下安全地插入数据,以及在哪里可以插入转义字符,这样每当像'/'这样的字符时,这个表单不会抛出错误等插入。
到目前为止,这是我的代码:
public string InsertRecordSet()
{
source = new FileInfo(@"c:\scripts\db_connection.txt");
stream = source.OpenText();
String text = stream.ReadLine();
stream.Close();
String uid = text.Substring(0, text.IndexOf(":"));
String pw = text.Substring(text.IndexOf(":") + 1, (text.Length - uid.Length - 1));
String connectionString = "dsn=" + "db" + "; uid=" + uid + "; pwd=" + pw + ";";
String statement = "INSERT INTO table (SubmitDate, FirstName, LastName, Email, Phone, Major, Description, HearAbout) VALUES (@SubmitDate, @FirstName, @LastName, @Email, @Phone, @Major, @Description, @HearAbout)";
conn = new OdbcConnection(connectionString);
command = new OdbcCommand(statement, conn);
command.Parameters.AddWithValue("@SubmitDate", DateTime.Now);
command.Parameters.AddWithValue("@FirstName", txtFname.Text);
command.Parameters.AddWithValue("@LastName", txtLname.Text);
command.Parameters.AddWithValue("@Email", txtEmail.Text);
command.Parameters.AddWithValue("@Phone", txtPhone.Text);
command.Parameters.AddWithValue("@Major", txtMajor.Text);
command.Parameters.AddWithValue("@Desciption", txtDescription.Text);
command.Parameters.AddWithValue("@HearAbout", txtMaxwell.Text);
conn.Open();
try
{
command.ExecuteNonQuery();
return "true";
}
catch (OdbcException oe)
{
_dbError = true;
Session.Contents.Add("USIFormException", oe);
return (oe.ToString());
}
finally
{
conn.Close();
}
}
答案 0 :(得分:1)
对于SQL注入保护,不要使用内联SQL,而是使用参数化SQL。
参数化SQL会阻止SQL注入,因为它只允许值(或参数)成为字符串的一部分,而不是任何内容。例如,您的参数化SQL字符串中没有DROP TABLE xyz,因为Command对象知道这不是合法的参数值。
所以代替这段代码:
String statement = "INSERT INTO MyTable(SubmitDate, FirstName, LastName, Email, Phone, Major, Description, HearAbout)";
statement += "VALUES (";
statement += "'" + DateTime.Now.ToShortDateString() + "',";
statement += "'" + txtFname.Text + "', ";
conn = new OdbcConnection(connectionString);
command = new OdbcCommand(statement, conn);
你应该有这样的代码:
String statement = String statement = "INSERT INTO MyTable(SubmitDate, FirstName, LastName, Email, Phone, Major, Description, HearAbout) VALUES (@SubmitDate, @FirstName)";
command.Parameters.Add("@SubmitDate", DateTime.Now.ToShortDateString());
command.Parameters.Add("@FirstName", txtFname.Text);
注意:如果您的数据库逻辑正在执行动态SQL,参数化查询将无法完全保护您免受SQL注入攻击,因此请避免使用它。
答案 1 :(得分:0)
您应该使用参数化值。
string query = "INSERT INTO MyTable(SubmitDate, FirstName, LastName, Email, Phone, Major, Description, HearAbout)";
query += " VALUES (@SubmitDate, @FirstName, @LastName, @EMail, @Phone, @Major, @Description, @HearAbout)";
conn = new OdbcConnection(connectionString);
command = new OdbcCommand(query, conn);
command.Parameters.AddWithValue("@SubmitDate", DateTime.Now.ToShortDateString());
command.Parameters.AddWithValue("@FirstName", txtFname.Tex);
...
conn.Open();
command.ExecuteNonQuery();
http://msdn.microsoft.com/en-us/library/system.data.odbc.odbccommand.aspx
http://msdn.microsoft.com/en-us/library/system.data.odbc.odbcparametercollection.aspx