Question

有关于可能导致sql注入的错误的详细信息页面

URL编码的GET输入classid设置为1 AND 3 * 2 * 1 = 6 AND 608 = 608

进行了测试：

1 * 1 * 1 * 1 =＆gt; TRUE
1 * 608 * 603 * 0 =＆gt; FALSE
11 * 5 * 2 * 999 =＆gt; FALSE
1 * 1 * 1 =＆gt; TRUE
1 * 1 * 1 * 1 * 1 * 1 =＆gt; TRUE
11 * 1 * 1 * 0 * 1 * 1 * 608 =＆gt; FALSE
1和5 * 4 = 20和608 = 608 =＆gt; TRUE
1和5 * 4 = 21和608 = 608 =＆gt; FALSE ...（线截断）

这是可能导致此事的源代码：

if (!string.IsNullOrEmpty(Request.QueryString["classid"]))
{
    string tSql = @" SELECT  [Award_ID],[Award_Name],[Award_Info],[Award_Pic],[Award_Num],[Award_MoneyCost],[Award_MoneyGet],[Award_Type],[Award_AddDate],[Award_Hot],[Award_OnLineTime],[AwardProP],[PrizeSlidePic],[PrizeDetailPic],[PrizeBigSlidePic],[IsTop],[ClassID] FROM  dbo.Web_Award WHERE ClassID={0} ";

    DataTable data = DbSession.Default.FromSql(string.Format(tSql, Request.QueryString["classid"])).ToDataTable();

    if (data.Rows.Count > 0)
    {
        rptList.DataSource = data;
        rptList.DataBind();
    }
}
else
{
    string tSql = @" SELECT  [Award_ID],[Award_Name],[Award_Info],[Award_Pic],[Award_Num],[Award_MoneyCost],[Award_MoneyGet],[Award_Type],[Award_AddDate],[Award_Hot],[Award_OnLineTime],[AwardProP],[PrizeSlidePic],[PrizeDetailPic],[PrizeBigSlidePic],[IsTop],[ClassID] FROM  dbo.Web_Award  ";

    DataTable data = DbSession.Default.FromSql(tSql).ToDataTable();

    if (data.Rows.Count > 0)
    {
        rptList.DataSource = data;
        rptList.DataBind();
    }
}

任何人都可以告诉我如何处理这个......非常感谢！

现在我已将我的代码修改为

if (!string.IsNullOrEmpty(Request.QueryString["classid"]))
        {
            //string tSql = @" SELECT  [Award_ID],[Award_Name],[Award_Info],[Award_Pic],[Award_Num],[Award_MoneyCost],[Award_MoneyGet],[Award_Type],[Award_AddDate],[Award_Hot],[Award_OnLineTime],[AwardProP],[PrizeSlidePic],[PrizeDetailPic],[PrizeBigSlidePic],[IsTop],[ClassID] FROM  dbo.Web_Award WHERE ClassID={0} ";
            string tSql = "SELECT [Award_ID],[Award_Name],[Award_Info],[Award_Pic],[Award_Num],[Award_MoneyCost],[Award_MoneyGet],[Award_Type],[Award_AddDate],[Award_Hot],[Award_OnLineTime],[AwardProP],[PrizeSlidePic],[PrizeDetailPic],[PrizeBigSlidePic],[IsTop],[ClassID] FROM dbo.Web_Award WHERE ClassID = @ClassID";
            //DataTable data = DbSession.Default.FromSql(string.Format(tSql, Request.QueryString["classid"])).ToDataTable();
            SqlConnection connection = new SqlConnection("Server=(local);Integrated Security=SSPI;database=DaysQP");
            connection.Open();
            SqlCommand command = new SqlCommand(tSql, connection);
            command.Parameters.Add(new SqlParameter("@ClassId", System.Data.SqlDbType.Int));
            command.Parameters["@ClassID"].Value = 1;
            using (SqlDataReader dr = command.ExecuteReader())
            {
                var data = new DataTable();
                data.Load(dr);
                if (data.Rows.Count > 0)
                {
                    rptList.DataSource = data;
                    rptList.DataBind();
                }
            }
            connection.Close();
        }
        else
        {
            string tSql = @" SELECT  [Award_ID],[Award_Name],[Award_Info],[Award_Pic],[Award_Num],[Award_MoneyCost],[Award_MoneyGet],[Award_Type],[Award_AddDate],[Award_Hot],[Award_OnLineTime],[AwardProP],[PrizeSlidePic],[PrizeDetailPic],[PrizeBigSlidePic],[IsTop],[ClassID] FROM  dbo.Web_Award  ";
            DataTable data = DbSession.Default.FromSql(tSql).ToDataTable();
            if (data.Rows.Count > 0)
            {
                rptList.DataSource = data;
                rptList.DataBind();
            }
        }

但问题仍然存在..

最后通过使用参数化查询来解决问题！

if (!string.IsNullOrEmpty(Request.QueryString["classid"]))
{   
    int number;
    bool result = Int32.TryParse(Request.QueryString["classid"], out number);

if (result == false)
{
    return;
}

//string tSql = @" SELECT  [Award_ID],[Award_Name],[Award_Info],[Award_Pic],[Award_Num],[Award_MoneyCost],[Award_MoneyGet],[Award_Type],[Award_AddDate],[Award_Hot],[Award_OnLineTime],[AwardProP],[PrizeSlidePic],[PrizeDetailPic],[PrizeBigSlidePic],[IsTop],[ClassID] FROM  dbo.Web_Award WHERE ClassID={0} ";
string tSql = "SELECT [Award_ID],[Award_Name],[Award_Info],[Award_Pic],[Award_Num],[Award_MoneyCost],[Award_MoneyGet],[Award_Type],[Award_AddDate],[Award_Hot],[Award_OnLineTime],[AwardProP],[PrizeSlidePic],[PrizeDetailPic],[PrizeBigSlidePic],[IsTop],[ClassID] FROM dbo.Web_Award WHERE ClassID = @ClassID";
 //DataTable data = DbSession.Default.FromSql(string.Format(tSql, Request.QueryString["classid"])).ToDataTable();

SqlConnection connection = (SqlConnection)DbSession.Default.CreateConnection();
//SqlConnection("Server=(local);Integrated Security=SSPI;database=DaysQP");
connection.Open();
SqlCommand command = new SqlCommand(tSql, connection);
command.Parameters.Add(new SqlParameter("@ClassId", System.Data.SqlDbType.Int));
command.Parameters["@ClassID"].Value = number;
using (SqlDataReader dr = command.ExecuteReader())
{
    var data = new DataTable();
    data.Load(dr);
    if (data.Rows.Count > 0)
    {
        rptList.DataSource = data;
        rptList.DataBind();
    }
}
connection.Close();

}

Answer 1

注射的可能性如下：

Web_Award

您希望查询返回classId匹配Request.QueryString["classid"]

的Request.QueryString["classid"]表记录

如果1 or 1=1的值类似于：

，会发生什么

select award_id,..... from web_awards where classId=1 or 1=1

然后查询变为：

SELECT * FROM transaction_table WHERE invoice_date >= '2013-01-01' 
AND invoice_date <= '2013-06-30';

并且您最终会返回您从未想过的数据。

这实际上是sql注入，您可能会阅读更多内容。使用存储过程或参数化查询可以防止这种攻击。

关于sql注入真的很困惑

1 个答案: