标签:
相关知识:
string name = "Bikes"; string strCmd = "SELECT ProductCategoryID, Name FROM Production.ProductCategory WHERE Name=‘" + name + "‘";
请注意:单引号是字符串的起止标记。
string name = "Bikes‘; DELETE FROM Production.ProductCategory;‘"; string strCmd = "SELECT ProductCategoryID, Name FROM Production.ProductCategory WHERE Name=‘" + name + "‘";
请注意:在Bikes之后添加了一个单引号,以便与"… Name=‘" + name + "‘"构成一个语句合法的SQL语句,成为下面的样子而被执行:
"SELECT ProductCategoryID, Name FROM Production.ProductCategory WHERE Name=‘Bikes‘; DELETE FROM Production.ProductCategory;";
在这种情况下,strCmd将首先执行SELECT语句,然后执行DELETE语句。
string strCmd = "SELECT ProductCategoryID, Name FROM Production.ProductCategory WHERE Name=‘" + name + "‘"; string strCmdEncoded = strCmd.Replace("‘", "‘‘");
代码示例:
1 static void Main(string[] args) 2 { 3 string userName = "xxx"; 4 string password = "xxx‘ OR ‘1‘=‘1"; //构造一个可能产生SQL注入攻击的字符串 5 string strCmd = "SELECT AccountID FROM Account WHERE AccountName=‘" + userName + 6 "‘ AND Password=‘" + password + "‘";
7 //下面的语句把单引号替换为两个单引号,从而使之不再代表字符串的起止,进而消除了SQL注入攻击 8 //strCmd = strCmd.Replace("‘", "‘‘"); 9 10 string strConn = @"server=Joe-PC;database=AccountDBforSQLInjection;uid=sa;pws=root"; 11 SqlConnection conn = new SqlConnection(strConn); 12 conn.Open(); 13 SqlCommand cmd = new SqlCommand(strCmd, conn); 14 SqlDataReader dr = cmd.ExecuteReader(); 15 if (dr.Read()) 16 { 17 Console.WriteLine("登录成功!"); 18 } 19 else 20 { 21 Console.WriteLine("用户名或密码错误!"); 22 } 23 conn.Close(); 24 } 25
程序分析:
标签:
原文地址:http://www.cnblogs.com/chenguangqiao/p/4353718.html