首页 > 代码库 > SQL预编译防注入小测试

SQL预编译防注入小测试

个人对SQL预编译的认识:


1、效率提升,对SQL语句编译一次可多次使用.避免了硬解析和软解析等步骤,当执行的语句上规模的时候性能差异还是很明显的。
2、安全提升,预编译之后的SQL语句,语义不会发生变化,安全性有相当大的提升。

 

using System;using System.Collections.Generic;using System.Linq;using System.Text;using System.Data.SqlClient;using System.Data;namespace PreSql{    class Program    {        /*         * create table test_table(a nvarchar(20))insert into test_table(a) values(‘2‘);*/        const string conStr = @"Password=1qaz!QAZ;Persist Security Info=True;User ID=sa;Initial Catalog=IBatisNet;Data Source=WANGN\CR";        static void Main(string[] args)        {            Console.WriteLine("SqlJoin:");            SqlJoin();            Console.WriteLine();            Console.WriteLine("PreSqlTest");            PreSqlTest();            Console.WriteLine("Completed");            Console.Read();        }        static void SqlJoin()        {            string sql = "select count(*) from test_table where a=‘{0}‘";            string tmpSql = string.Format(sql, "1‘ or  ‘1‘=‘1");            string tmpSql2 = string.Format(sql, "1");            using (SqlConnection conn = new SqlConnection(conStr))            {                if (conn.State != ConnectionState.Open)                {                    conn.Open();                }                SqlCommand com = new SqlCommand(tmpSql, conn);                object obj = com.ExecuteScalar();                Console.WriteLine("SQL注入成功:" + obj.ToString());                SqlCommand com2 = new SqlCommand(tmpSql2, conn);                object obj2 = com2.ExecuteNonQuery();                Console.WriteLine("正常应返回-1:" + obj2);            }        }        static void PreSqlTest()        {            string sql = "select count(*) from test_table where a=@id";            using (SqlConnection conn = new SqlConnection(conStr))            {                if (conn.State != ConnectionState.Open)                {                    conn.Open();                }                SqlCommand com = new SqlCommand(sql, conn);                com.Parameters.Add(new SqlParameter                {                    DbType = DbType.String,                    Size = 256,                    ParameterName = "@id",                    Value = "1 or 1=1"                });                object obj = com.ExecuteScalar();                Console.WriteLine("SQL注入不成功:" + obj.ToString());                SqlCommand com2 = new SqlCommand(sql, conn);                com2.Parameters.Add(new SqlParameter                {                    DbType = DbType.String,                    Size = 256,                    ParameterName = "@id",                    Value = "1"                });                object obj2 = com2.ExecuteNonQuery();                Console.WriteLine("正常应返回-1:" + obj2);            }        }    }}

执行结果:

SqlJoin:
SQL注入成功:1
正常应返回-1:-1

PreSqlTest
SQL注入不成功:0
正常应返回-1:-1
Completed

SQL预编译防注入小测试