方法RetrieveTableDisplay()调用使用来自不受信任来源的输入构建的SQL查询。此调用可能允许攻击者修改语句的含义或执行任意SQL命令。
string sql =
SqlHelper.GetSqlString(Constants.RetrieveTableDisplay) + tableName +
" WHERE ACCOUNT_NBR='" + AccountNumber +
"' ORDER BY " + GenerateOrderByClause(tableName) + " ) a ) where rn > " +
(currentPageNumber * currentPageSize).ToString() + " AND rn <= " +
((currentPageNumber * currentPageSize) + currentPageSize).ToString();
string recordCount =
"select count(*) from " + tableName +
" WHERE ACCOUNT_NBR='" + AccountNumber + "'";
//Issue is somewhere here of sql injection
if (!Utils.IsUnitTestCase)
{
try
{
using (DbCommand cmd =
OraDB.GetSqlStringCommand(this.ProcessTableName(sql)))
{
using (IDataReader reader = OraDB.ExecuteReader(cmd))
{
object o = OraDB.ExecuteScalar(CommandType.Text, recordCount);
if (o != null)
{
lstEntities.TotalRecords = Convert.ToInt32(o);
}
while (reader.Read())
{
objBasTransactionLog = new BASTransactionLog();
PopulateEntity(objBasTransactionLog, reader);
lstEntities.Add(objBasTransactionLog);
}
}
}
}
}
自定义建议:
补救措施是永远不要使用字符串连接来构建SQL语句。准备语句(也称为占位符)应该用于构建SQL语句。
答案 0 :(得分:0)
防止SQL注入的推荐方法是使用SqlParameter。
不要使用字符串连接添加参数值。
请参阅Using Parameters for SQL Server Queries and Stored Procedures