34,575
社区成员
发帖
与我相关
我的任务
分享
CREATE proc [dbo].[t_user_GetJoinTask]
@strWhere nvarchar(1000)
as
declare @sql nvarchar(1500)
set @sql = 'SELECT u.Uid,u.Username,u.Tel,u.Call, t_task.*
FROM t_user as u INNER JOIN
t_task ON u.Uid= t_task.UserID '+@strWhere
exec (@sql)
SqlParameter[] parameters = {
new SqlParameter("@strWhere",SqlDbType.NVarChar,1000)
};
parameters[0].Value = "SQL注入语句";
之后执行储存过程代码我就忽略了
-- SqlCommand cmd = new SqlCommand(procName, Conn);
public class SqlQuery
{
private string sql;
public SqlQuery()
{
sql = string.Empty;
}
//列为字符串
public void Add(string fieldName, ArrayList value, string oper)
{
if (value == null||value.Count==0)
return;
if (sql != string.Empty)
sql += " and ";
switch (oper)
{
case "Eq":
sql += string.Format("{0} ='{1}'", fieldName, value);
break;
case "In":
sql += string.Format(" {0} In({1}) ", fieldName, DobConvert.ArrayListToString(value));
break;
case "NotIn":
sql += string.Format(" {0} Not In({1}) ", fieldName, DobConvert.ArrayListToString(value));
break;
}
}
/// <summary>
/// 取得sql(无Where关键字)
/// </summary>
public string GetSql
{
get {
string str = FiltrateSql(sql);
return str;
}
}
/// 过滤sql
public static string FiltrateSql(string sql)
{
ArrayList f = new ArrayList();
f.Add("INSERT");
f.Add("UPDATE");
f.Add("DELETE");
string strSql = sql.ToUpper();
foreach (string s in f)
{
strSql.Replace(s, string.Empty);
}
return strSql.Replace("'", string.Empty);
}
}
SqlQuery sql = new SqlQuery();
sql.Add("username", "+txtTrueName.Text+", "Eq");
DataTable dt2 = user.GetDataTableList(sql.GetWhere);
--@strWhere可以被注入成任何合法的SQL语句,如
SELECT u.Uid ,
u.Username ,
u.Tel ,
u.Call ,
t_task.*
FROM t_user AS u
INNER JOIN t_task ON u.Uid = t_task.UserID
--#1
CROSS JOIN table_password --如果黑客猜到你的密码表的名称,那你的密码将一览无余
--#1
WHERE 1 = 1 --不进行任何过滤,显示所有信息
CREATE PROC [dbo].[t_user_GetJoinTask]
@para1 NVARCHAR(1000) = NULL,
@para2 NVARCHAR(1000) = NULL
AS
SELECT u.Uid ,
u.Username ,
u.Tel ,
u.Call ,
t_task.*
FROM t_user AS u
INNER JOIN t_task ON u.Uid = t_task.UserID
WHERE 1 = 1
AND (@para1 IS NULL OR field1 = @para1)
AND (@para2 IS NULL OR field2 = @para2)