移动代码以避免使用MySQL AES_ENCRYPT / AES_DECRYPT进行SQL注入

时间:2015-07-24 09:21:45

标签: c# mysql vb.net

将我的所有代码翻译成vb.Net以避免SQL注入。通过示例here,我创建了新的INSERT INTO部分代码并且认为是有效的。但我很难回来验证数据。

请给我一个示例,告诉我如何正确操作并填充组合框,datagrigview和文本框。

另外一些例子来模拟从vb.Net到测试的SQL注入,并为像我这样的初学者开发学习。

我的旧代码INSERT:

Dim MySQLQuery As String = "INSERT INTO `Agents` (`User_Name`, `User_Pic`) VALUES (AES_ENCRYPT('" & txtUserName.Text & "', '" & MyPass & "'), 
AES_ENCRYPT('" & txtUserPic.Text & "', '" & MyPass & "'"

我的新参数化代码INSERT:

MySQLConn.Open()
    Dim command As New MySqlCommand()
    Dim SQLADD As String = "INSERT INTO `Agents` (`AG_Nom`, `AG_Pic`) VALUES (AES_ENCRYPT('" & "'@UserName'" & "', '" & MyPass & "'), AES_ENCRYPT('" & "'@UserPic'" & "', '" & MyPass & "'))"

    command.CommandText = SQLADD
    command.Parameters.AddWithValue("@UserName", txtName.Text)
    command.Parameters.AddWithValue("@UserPic", txtPicPath.Text)
    command.Connection = MySQLConn
    command.ExecuteNonQuery()
    MySQLConn.Close()

我的旧代码选择:

MySQLQuery = "SELECT AES_DECRYPT(`User_Name`, '" & MyPass & "') AS UName, AES_DECRYPT(`User_Pic`, '" & MyPass & "') AS UPic FROM `Agents`"

MsgBox(MySQLReader.GetString("UName") & vbCrLf & MySQLReader.GetString("UPic")

如何构建新的参数化SELECT? 我试着用:

Dim command As New MySqlCommand()
MySQLConn.Open()
Dim SQLID As String = "SELECT AES_DECRYPT(`AG_Nom`, '" & MyPass & "') AS @UserName, AES_DECRYPT(`AG_Pic`, '" & MyPass & "') AS @UserPic FROM `Agents`"
command = New MySqlCommand(SQLID, MySQLConn)
Dim Reader As MySqlDataReader
    Reader = command.ExecuteReader()
    While Reader.Read
        txtDcryName.Text = Reader.GetString("@UserName")
        txtDcryPicPath.Text = Reader.GetString("@UserPic")
    End While
    MySQLConn.Close()
    MySQLConn.Dispose()

最后一个代码不工作,Reader = command.ExecuteReader()

时出错

TIA

1 个答案:

答案 0 :(得分:1)

您不必将@添加到列标识符中。您的insert语句仍然容易受到MyPass变量的SQL注入攻击。它可以根据这个改变,我会把它留给你。

Const SelData As String =
    "SELECT AES_DECRYPT(`AG_Nom`, @MyPass) AS UserName, AES_DECRYPT(`AG_Pic`, @MyPass) AS UserPic FROM `Agents`"

Using conn As New MySqlConnection()
    conn.Open()

    Using comm As New MySqlCommand(SelData, conn)
        comm.Parameters.AddWithValue("@MyPass", MyPass)

        Using r As MySqlDataReader = comm.ExecuteReader
            While r.Read
                txtDcryName.Text = r.GetString("UserName")
                txtDcryPicPath.Text = r.GetString("UserPic")
            End While
        End Using
    End Using
End Using
相关问题
最新问题