这个SELECT语句有什么不安全感?

时间:2014-10-11 16:48:40

标签: c# sql asp.net .net

我是ASP.NET和C#的新手。从我正在阅读的书中,我写了一个从数据库中获取值的SELECT语句。然而,当我在网上搜索时,程序员说这是不安全的,不应该这样做。对于C#中的新手,我怎么知道我编程的方式是错还是正确?有规则吗?例如,编写此代码的正确方法是什么:

using (SqlConnection conn = new SqlConnection(ConfigurationManager.ConnectionStrings["CustomerDataConnectionString"].ConnectionString))
{
    SqlCommand cmd = new SqlCommand("SELECT CONVERT(varchar, CAST(plan_rate AS money), 1) FROM [dbo].[plans] WHERE plan_name = '" + Dropdownbox1.Text + "'", conn);
    conn.Open();

    using (conn)
    {
        Object result = cmd.ExecuteScalar();
        if (result != null)
            Label6.Text = "Plan rate: $" + result.ToString();
        else
            Label6.Text = "Plan is not available in this state.";

        conn.Close();
    }

    ....... rest of code

1 个答案:

答案 0 :(得分:5)

您确定此代码不安全。考虑如果Dropdownbox1.Text包含'; DROP TABLE dbo.plans --等恶意内容会发生什么。生成的查询将是

SELECT CONVERT(varchar, CAST(plan_rate AS money), 1)
FROM [dbo].[plans]
WHERE plan_name = '';

DROP TABLE dbo.plans --'

,您的plans表格将被删除!

要防范这种情况,请使用参数化查询而不是字符串连接:

SqlCommand cmd = new SqlCommand("SELECT CONVERT(varchar, CAST(plan_rate AS money), 1) FROM [dbo].[plans] WHERE plan_name = @plan_name", conn);
cmd.Parameters.AddWithValue("@plan_name", Dropdownbox1.Text);

使用参数时,SQL查询引擎会将参数的值视为 data 而不是可能的命令。请在security.stackexchange.com上阅读此great answer以了解其中的差异。

在不相关的说明中,using有两个conn语句是不必要的;一个就够了:

using (SqlConnection conn = new SqlConnection(ConfigurationManager.ConnectionStrings["CustomerDataConnectionString"].ConnectionString))
{
    conn.Open();

    SqlCommand cmd = new SqlCommand("SELECT CONVERT(varchar, CAST(plan_rate AS money), 1) FROM [dbo].[plans] WHERE plan_name = @plan_name", conn);
    cmd.Parameters.AddWithValue("@plan_name", Dropdownbox1.Text);
    Object result = cmd.ExecuteScalar();

    if (result != null)
        Label6.Text = "Plan rate: $" + result.ToString();
    else
        Label6.Text = "Plan is not available in this state.";
}