Question

我通常使用有问题的小参数,但在这种情况下,我需要动态地创造不仅仅是参数。

Could someone use injection on any of the variables? Aside from a stored procedure is there a simple way to protect against injection via code?

string whereClause = "WHERE " + filter.ToString() + " > " + nextStartPoint;
string orderBy = "ORDER BY " + filter.ToString() + " DESC";

http://www.ohchr.org。

string sql = "SELECT TOP(" + numItemsToGet + ") * " +
                                 "FROM Items " +
                                  whereClause + " " +
                                  orderBy;

Update

过滤器。缩略语

我对以下工作感到惊讶(部分工作)。我还认为,你必须参考一栏名称,并注明精度参数。

cmd.Parameters.AddWithValue("Count", 10); string sql = "SELECT TOP(@Count) * " +

Answer 1

是的,这无疑会受到注射。如果用户控制<条码>过滤器/代码>参数,那么用户便很容易在你的发言中注入正文。

The simplest way to prevent an injection attack is to use SqlCommand to build up your command. It s designed to help prevent such attacks and will take the appropriate steps to protect your input

Answer 2

如果你只有一套有限的过滤器,那么你可以采用这样的方法,但这是一种多少含蓄的做法。 d 我建议使用其他工具,如OR地图仪。

SET ROWCOUNT @numItemsToGet

select  *
from Items
where
    (
        @ColumnANextStartPoint is null
        or ColumnA > @ColumnANextStartPoint
    ) and (
        @ColumnBNextStartPoint is null
        or ColumnB > @ColumnBNextStartPoint
    ) and (
        @ColumnCNextStartPoint is null
        or ColumnC > @ColumnCNextStartPoint
    )
order by
    case @ColumnANextStartPoint when null then null else ColumnA end DESC,
    case @ColumnBNextStartPoint when null then null else ColumnB end DESC,
    case @ColumnCNextStartPoint when null then null else ColumnC end DESC

*My apologies, this code is untested.

Answer 3

防止卡片注入的简单办法是使用像以下例子一样的半元化问题:

 SqlConnection someConnection = new SqlConnection(connection);
 SqlCommand someCommand = new SqlCommand();
 someCommand.Connection = someConnection;

 someCommand.Parameters.Add(
    "@username", SqlDbType.NChar).Value = name;
 someCommand.Parameters.Add(
    "@password", SqlDbType.NChar).Value = password;
 someCommand.CommandText = "SELECT AccountNumber FROM Users " + 
    "WHERE Username=@username AND Password=@password";

 someConnection.Open();
 object accountNumber = someCommand.ExecuteScalar();
 someConnection.Close();

Answer 4

There isn t enough information about the nature of filter and its string representations to rule it out. Possibly it s 100% safe because none of its possible values can cause injection, but possibly it s 100% unsafe because it s really easy to inject through it.

友情链接