码迷,mamicode.com
首页 > 数据库 > 详细

SQL预编译防注入小测试

时间:2014-12-18 00:13:32      阅读:235      评论:0      收藏:0      [点我收藏+]

标签:style   blog   ar   io   color   os   使用   sp   for   

个人对SQL预编译的认识:


1、效率提升,对SQL语句编译一次可多次使用.避免了硬解析和软解析等步骤,当执行的语句上规模的时候性能差异还是很明显的。
2、安全提升,预编译之后的SQL语句,语义不会发生变化,安全性有相当大的提升。

 

using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Data.SqlClient;
using System.Data;

namespace PreSql
{
    class Program
    {
        /*
         * create table test_table
(
a nvarchar(20)
)


insert into test_table(a) values(‘2‘);*/
        const string conStr = @"Password=1qaz!QAZ;Persist Security Info=True;User ID=sa;Initial Catalog=IBatisNet;Data Source=WANGN\CR";
        static void Main(string[] args)
        {

            Console.WriteLine("SqlJoin:");
            SqlJoin();
            Console.WriteLine();
            Console.WriteLine("PreSqlTest");
            PreSqlTest();

            Console.WriteLine("Completed");

            Console.Read();
        }

        static void SqlJoin()
        {
            string sql = "select count(*) from test_table where a=‘{0}‘";
            string tmpSql = string.Format(sql, "1‘ or  ‘1‘=‘1");
            string tmpSql2 = string.Format(sql, "1");

            using (SqlConnection conn = new SqlConnection(conStr))
            {
                if (conn.State != ConnectionState.Open)
                {
                    conn.Open();
                }
                SqlCommand com = new SqlCommand(tmpSql, conn);
                object obj = com.ExecuteScalar();
                Console.WriteLine("SQL注入成功:" + obj.ToString());

                SqlCommand com2 = new SqlCommand(tmpSql2, conn);
                object obj2 = com2.ExecuteNonQuery();
                Console.WriteLine("正常应返回-1:" + obj2);
            }
        }
        static void PreSqlTest()
        {
            string sql = "select count(*) from test_table where a=@id";
            using (SqlConnection conn = new SqlConnection(conStr))
            {
                if (conn.State != ConnectionState.Open)
                {
                    conn.Open();
                }
                SqlCommand com = new SqlCommand(sql, conn);
                com.Parameters.Add(new SqlParameter
                {
                    DbType = DbType.String,
                    Size = 256,
                    ParameterName = "@id",
                    Value = "1 or 1=1"
                });
                object obj = com.ExecuteScalar();
                Console.WriteLine("SQL注入不成功:" + obj.ToString());

                SqlCommand com2 = new SqlCommand(sql, conn);
                com2.Parameters.Add(new SqlParameter
                {
                    DbType = DbType.String,
                    Size = 256,
                    ParameterName = "@id",
                    Value = "1"
                });
                object obj2 = com2.ExecuteNonQuery();
                Console.WriteLine("正常应返回-1:" + obj2);
            }
        }
    }
}

执行结果:

SqlJoin:
SQL注入成功:1
正常应返回-1:-1

PreSqlTest
SQL注入不成功:0
正常应返回-1:-1
Completed

SQL预编译防注入小测试

标签:style   blog   ar   io   color   os   使用   sp   for   

原文地址:http://www.cnblogs.com/wangn/p/4170755.html

(0)
(0)
   
举报
评论 一句话评论(0
登录后才能评论!
© 2014 mamicode.com 版权所有  联系我们:gaon5@hotmail.com
迷上了代码!