我在我的应用程序中使用Microsoft Sync Framework进行数据同步 为了删除跟踪表我使用下面的代码。
SqlCommand comm;
StringBuilder sb = new StringBuilder();
//Drop tracking table & triggers
sb.AppendFormat(@"
IF EXISTS (SELECT * FROM sys.objects WHERE object_id = OBJECT_ID(N'[dbo].[{0}_tracking]') AND type in (N'U'))
DROP TABLE [dbo].[{0}_tracking]
IF EXISTS (SELECT * FROM sys.triggers WHERE object_id = OBJECT_ID(N'[dbo].[{0}_insert_trigger]'))
DROP TRIGGER [dbo].[{0}_insert_trigger]
IF EXISTS (SELECT * FROM sys.triggers WHERE object_id = OBJECT_ID(N'[dbo].[{0}_delete_trigger]'))
DROP TRIGGER [dbo].[{0}_delete_trigger]
IF EXISTS (SELECT * FROM sys.triggers WHERE object_id = OBJECT_ID(N'[dbo].[{0}_update_trigger]'))
DROP TRIGGER [dbo].[{0}_update_trigger]", tableName);
foreach (string procName in new string[] { "delete", "deletemetadata", "insert", "insertmetadata", "update", "updatemetadata", "selectrow", "selectchanges" })
{
sb.AppendFormat(@"IF EXISTS (SELECT * FROM sys.objects WHERE object_id = OBJECT_ID(N'[dbo].[{0}_{1}]') AND type in (N'P', N'PC'))
DROP PROCEDURE [dbo].[{0}_{1}]", tableName, procName);
}
using (comm = new SqlCommand(sb.ToString(), conn))
{
conn.Open();
comm.ExecuteNonQuery();
conn.Close();
}
当我使用此代码在dll上运行CAT.NET时,它显示了SQL注入漏洞 任何人都可以建议如何删除此SQL注入问题。
有关上述代码的更多信息,您可以
点击here
答案 0 :(得分:1)
由于您依赖外部DLL,因此无法做到这一点 您可以将其转换为SP并尝试避免内联语句。
希望有所帮助。答案 1 :(得分:0)
为什么要手动删除这些对象而不是简单地从Sync Framework中运行取消配置?
即使使用上面的代码,您也不会删除用户定义的表类型。