62,041
社区成员
发帖
与我相关
我的任务
分享
-- =============================================
-- Author: 牛腩
-- Create date: 2008-11-17 14:38
-- Description: 添加类别,测试存储过程是否有SQL注入危险
-- =============================================
ALTER PROCEDURE [dbo].[category_insert]
@name varchar(100)
AS
BEGIN
declare @sql varchar(1000)
set @sql = 'insert into category(name) values('''+@name+''')'
exec (@sql)
END
string connStr = @"server=niunan\sqlexpress; database=newssystem; uid=sa; pwd=123456";
SqlConnection conn = new SqlConnection(connStr);
conn.Open();
SqlCommand cmd = new SqlCommand("category_insert", conn);
cmd.CommandType = CommandType.StoredProcedure;
cmd.Parameters.Add(new SqlParameter("@name", "bbb');delete category where id=14--"));
int i = cmd.ExecuteNonQuery();
conn.Close();
Response.Write(i);
DBHelper.ExecuteNonQuery(
//CommandText
"SELECT TOP 1 * FROM Error WHERE title = @title",
CommandType.Text,
//SqlParameter
DBHelper.CreateSqlParameter(
//映射名
"@title",
//值类型
SqlDbType.NVarChar,
//长度
100,
//传值方式
ParameterDirection.Input,
//值
"'输入字符串的格式不正确。';DELETE FROM Error WHERE eid = 1465 --"
)
);
//值类型
SqlDbType.NVarChar,
//长度
100,
if (this.txtUserCode.Text.Contains("'") || this.txtUserCode.Text.Contains("--"))
{
Alert("登陆失败: " + "你的输入含有非法字符,请重新输入");
return;
}
if (this.txtUserCode.Text.Contains("'") || this.txtUserCode.Text.Contains("--"))
{
Alert("登陆失败: " + "你的输入含有非法字符,请重新输入");
return;
}