AppScan Source

时间:2016-03-10 10:00:00

标签: c# asp.net web xss sql-injection

因此,我在一个基本上是公司会议室预订系统的网站上获得了管理,它连接到访问数据库以获取房间详细信息和空缺。问题是,AppScan源显示出XSS和SQL注入的风险。这是表示这些错误发生的完整函数。

protected void btnReserve_Click(object sender, System.EventArgs e)
                            {
                                            string start_slot, end_slot, event_desc, room_id, emp_nid;
                                            string[] date;
                                            start_slot = ddlStart.SelectedValue;
                                            end_slot = ddlEnd.SelectedValue;
                                            event_desc = txtEventDesc.Text;
                                            room_id = Server.HtmlEncode(Request.QueryString["room_id"]);
  emp_nid = Regex.Replace(Request.ServerVariables["LOGON_USER"], @"^.*\\(.*)$", "$1").ToUpper();
                                            date = Request.QueryString["date"].Split('/');
                                            DateTime dt = new DateTime(Convert.ToInt32(date[2]),Convert.ToInt32(date[0]),Convert.ToInt32(date[1]));
  string sCmdCheckConflict = @"
      SELECT     count(*)
      FROM         t_msc_event
      WHERE     (event_date = #" +DateTime.Parse(Request.QueryString["date"]).ToString() + @"# )
      AND (room_id = " + room_id + @") AND
      (
      (" + start_slot + @" BETWEEN start_slot AND end_slot) OR
      (" + end_slot + @" BETWEEN start_slot AND end_slot) OR
      (start_slot BETWEEN " + start_slot + @" AND " + end_slot + @") OR
      (end_slot BETWEEN " + start_slot + @" AND " + end_slot + "))";
  OleDbCommand cmdConflictCounter = new OleDbCommand(sCmdCheckConflict, cn);
  int n;
  int event_id;

  try
  {
    cn.Open();
    n = (int) cmdConflictCounter.ExecuteScalar();
                                                            string Msg;
    if (n>0)
    {
      Msg = "<script language=javascript>alert('Chosen time is not possible due to a conflict.');</script>";
    }
    else
    {
      #region MS Access related region
      OleDbCommand cmdgetMaxId = new OleDbCommand("select max(event_id) from t_msc_event", cn);
      string sCmdInsert;
      OleDbCommand cmdInsertEvent = null;
      event_id = 0; bool success = false; int trials = 0;
      do
      {
          try
          {
            event_id = (int) cmdgetMaxId.ExecuteScalar() + 1;
          }
          catch
          {
            event_id = 0;
          }
          sCmdInsert = @"
                                        insert into t_msc_event (event_id,
                                        emp_nid, event_desc, event_date,
                                        start_slot, end_slot, room_id
                                        ) values (" + event_id + @",
                                        '" + Server.HtmlEncode(emp_nid) + "', '" + Server.HtmlEncode(event_desc.Replace("'", "''")) + "', #" + dt.ToShortDateString() + "#, " +
            start_slot + ", " + end_slot + ", " + room_id + ")";             
          cmdInsertEvent = new OleDbCommand(sCmdInsert, cn);
          cmdInsertEvent.ExecuteNonQuery();
          success = true;
      } while ((!success) && (trials <=5));

      OleDbDataAdapter daGetSlots = new OleDbDataAdapter("select slot_id, left(slot_desc,5) as slot_start, right(slot_desc,5) as slot_end from t_msc_slot order by slot_id", cn);
      DataTable dtSlotInfo = new DataTable();
      daGetSlots.Fill(dtSlotInfo);
      OleDbCommand cmdGetRoolTitle = new OleDbCommand("select room_title from t_msc_room where room_id=" + Server.HtmlEncode(room_id), cn);
      string room_title = (string) cmdGetRoolTitle.ExecuteScalar();
      string msg = "Dear " + emp_nid +
        ",<br><br>This is to confirm your reservation of " +
        room_title +
        " on " + dt.ToShortDateString() + " from " +
        dtSlotInfo.Rows[Convert.ToInt32(start_slot)]["slot_start"].ToString() + " to " +
        dtSlotInfo.Rows[Convert.ToInt32(end_slot)]["slot_end"].ToString() + "." +
        "<br><br>In case you want to cancel, go to " +
        "<a href='" + Regex.Replace(Request.Url.ToString(), @"^(.*)/.*\.aspx\?*.*$", "$1/MyReservations.aspx") + "'>" +
        "MS Conference Rooms Reservation -> MyReservatios</a>";
      #endregion
      string subject = "MS Conference Room Reservation Confirmation [id=" + event_id + "]";
      try
      {
        SendEmail(emp_nid, subject, msg);
        Msg = "<script language=javascript>alert('Room successfully reserved. You should receive a confirmation email shortly.'); if (opener) {opener.__doPostBack('" + Request.QueryString["btnGetScheduleID"].Replace("_","$") + "', '');} window.close();</script>";
      }
      catch
      {
        Msg = "<script language=javascript>alert('Room successfully reserved.'); if (opener) {opener.__doPostBack('" + Request.QueryString["btnGetScheduleID"].Replace("_","$") + "', '');} window.close();</script>";
      }
    }
    Response.Write(Msg);
  }
                                            catch (Exception x)
                                            {
    Response.Write(x.ToString());
                                                            string Msg;
                                                            Msg = "<script language=javascript>alert('Error: " + x.ToString() + "');</script>";
    Response.Write(Msg);
                                            }
                                            finally
                                            {
                                                            cn.Close();
                                            }
                            }

很抱歉不得不向您展示整个功能,因为我真的不知道我需要在这里做什么,这不是我的应用程序。 我所做的是1)在ASP.NET中启用请求验证2)使用Server.HtmlEncode()编码用户输入;但它仍然报告同样的事情。请注意,start_slot和end_slot都是DDL,因此我认为在发送之前我不需要对它们进行编码/检查。您能否帮我修改此代码以忽略有害的用户输入?谢谢你加载。

1 个答案:

答案 0 :(得分:0)

使用参数化SQL查询的正确方法是

string commandText = "UPDATE ProductDetails
                      SET ProductQuantity = @quantity WHERE ProductId = @productId";

    SqlCommand command = new SqlCommand(commandText, connection);
    command.Parameters.AddWithValue("@productId", "P123");       
    command.Parameters.AddWithValue("@quantity", 10);

您可以安全地更换&#34; P123&#34;用户现在提供输入。