首页 > 代码库 > SQL预编译防注入小测试
SQL预编译防注入小测试
个人对SQL预编译的认识:
1、效率提升,对SQL语句编译一次可多次使用.避免了硬解析和软解析等步骤,当执行的语句上规模的时候性能差异还是很明显的。
2、安全提升,预编译之后的SQL语句,语义不会发生变化,安全性有相当大的提升。
using System;using System.Collections.Generic;using System.Linq;using System.Text;using System.Data.SqlClient;using System.Data;namespace PreSql{ class Program { /* * create table test_table(a nvarchar(20))insert into test_table(a) values(‘2‘);*/ const string conStr = @"Password=1qaz!QAZ;Persist Security Info=True;User ID=sa;Initial Catalog=IBatisNet;Data Source=WANGN\CR"; static void Main(string[] args) { Console.WriteLine("SqlJoin:"); SqlJoin(); Console.WriteLine(); Console.WriteLine("PreSqlTest"); PreSqlTest(); Console.WriteLine("Completed"); Console.Read(); } static void SqlJoin() { string sql = "select count(*) from test_table where a=‘{0}‘"; string tmpSql = string.Format(sql, "1‘ or ‘1‘=‘1"); string tmpSql2 = string.Format(sql, "1"); using (SqlConnection conn = new SqlConnection(conStr)) { if (conn.State != ConnectionState.Open) { conn.Open(); } SqlCommand com = new SqlCommand(tmpSql, conn); object obj = com.ExecuteScalar(); Console.WriteLine("SQL注入成功:" + obj.ToString()); SqlCommand com2 = new SqlCommand(tmpSql2, conn); object obj2 = com2.ExecuteNonQuery(); Console.WriteLine("正常应返回-1:" + obj2); } } static void PreSqlTest() { string sql = "select count(*) from test_table where a=@id"; using (SqlConnection conn = new SqlConnection(conStr)) { if (conn.State != ConnectionState.Open) { conn.Open(); } SqlCommand com = new SqlCommand(sql, conn); com.Parameters.Add(new SqlParameter { DbType = DbType.String, Size = 256, ParameterName = "@id", Value = "1 or 1=1" }); object obj = com.ExecuteScalar(); Console.WriteLine("SQL注入不成功:" + obj.ToString()); SqlCommand com2 = new SqlCommand(sql, conn); com2.Parameters.Add(new SqlParameter { DbType = DbType.String, Size = 256, ParameterName = "@id", Value = "1" }); object obj2 = com2.ExecuteNonQuery(); Console.WriteLine("正常应返回-1:" + obj2); } } }}
执行结果:
SqlJoin:
SQL注入成功:1
正常应返回-1:-1
PreSqlTest
SQL注入不成功:0
正常应返回-1:-1
Completed
SQL预编译防注入小测试
声明:以上内容来自用户投稿及互联网公开渠道收集整理发布,本网站不拥有所有权,未作人工编辑处理,也不承担相关法律责任,若内容有误或涉及侵权可进行投诉: 投诉/举报 工作人员会在5个工作日内联系你,一经查实,本站将立刻删除涉嫌侵权内容。