·ÀÖ¹SQL×¢Èë¹¥»÷µÄ×¢ÒâÊÂÏî

·ÀÖ¹SQL×¢Èë¹¥»÷µÄ×¢ÒâÊÂÏî
Ò». SQL Injection¼°Æä·À·¶µÄ»ù±¾ÖªÊ¶
¿ÉÄÜ´ó¼Ò¶¼ÖªµÀ£¬SQL×¢ÈëÖ÷ÒªÊÇÀûÓÃ×Ö·ûÐͲÎÊýÊäÈëµÄ¼ì²é©¶´¡£
±ÈÈç˵£¬³ÌÐòÖÐÓÐÕâÑùµÄ²éѯ£º
 string sql = "SELECT * from SiteUsers WHERE UserName='" + userName + "'";
ÆäÖеÄuserName²ÎÊýÊÇ´ÓÓû§½çÃæÉÏÊäÈëµÄ¡£
Èç¹ûÊÇÕý³£µÄÊäÈ룬±ÈÈç“Peter”£¬SQLÓï¾ä»á´®½Ó³É£º
 "SELECT * from SiteUsers WHERE UserName='Peter'";
Èç¹û¹¥»÷ÕßÊäÈëµÄÊÇÏÂÃæµÄ×Ö·û´®£º
  "xxx'; DROP TABLE SiteUsers WHERE 1=1 or UserName='xxx"
´ËʱSQLÓï¾ä»á±ä³ÉÏÂÃæÕâ¸öÑù×Ó£º
  "SELECT * from SiteUsers WHERE UserName='xxx'; DROP TABLE SiteUsers WHERE 1=1 or UserName='xxx'";
Æä½á¹û£¬µÃµ½Ö´ÐеÄÊÇÁ½¸öSQLÓï¾ä£¬µÚ¶þ¸öÓï¾äµÄºó¹û¾Í±È½ÏÑÏÖØÁË¡£
·ÀÖ¹×¢ÈëµÄ·½·¨ÆäʵºÜ¼òµ¥£¬Ö»Òª°ÑÓû§ÊäÈëµÄµ¥ÒýºÅ±ä³ÉË«·Ý¾ÍÐÐÁË£º
 string sql = "SELECT * from SiteUsers WHERE UserName='" + userName.Replace("'","''") + "'";
ÕâÑù£¬Èç¹ûÊäÈëµÄÊÇÉÏÃæÄÇÖÖ¶ñÒâ²ÎÊý£¬Õû¸öSQLÓï¾ä»á±ä³É£º
 "SELECT * from SiteUsers WHERE UserName='<STRONG>xxx''; DROP TABLE SiteUsers WHERE 1=1 or UserName=''xxx</STRONG>'";
±»Ö´ÐеĻ¹ÊÇÒ»¸öSQLÓï¾ä£¬Õû¸ö´ÖÌ岿·Ö¶¼³ÉΪ²ÎÊýÖµ¡£
Ò»°ãµÄ×ö·¨£¬ÊÇÔÚ³ÌÐòÖÐͳһµ÷ÓÃÏÂÃæÕâÑùµÄ¹²Í¨º¯Êý£¬¶Ô²ÎÊý½øÐд¦Àí£º
private string SafeSqlLiteral(string inputSQL)
{
&nbsp; return inputSQL.Replace("'", "''");
}
ÓÉÓںܶàÈË»áÊèºöÕâÖÖµ¥ÒýºÅÌæ»»£¬ËùÒÔÕæÕý°²È«µÄ×ö·¨ÊÇʹÓòÎÊý»¯²éѯ¡£
¶þ. ²ÎÊý»¯²éѯ
 ÔÚADO.NETÖУ¬ÌṩÁËÒ»ÖÖ²ÎÊý»¯²éѯ·½·¨£¬¿ÉÒÔÌæ´úÉÏÃæÕâÖÖÆ´½ÓSQLÓï¾äµÄ×ö·¨¡£
²ÎÊý»¯²éѯµÄ¾ßÌåʵÏÖÊÇ£º
£¨1£©×éÖ¯Ò»¸ö¼Ð´ø²ÎÊýÃûµÄSQLÓï¾ä£¬×÷ΪSqlCommandµÄCommandText¡£
£¨2£©Ê¹ÓÃParameters.Add·½·¨ÉèÖòÎÊýÖµ¡£
£¨3£©Ö´ÐÐSqlCommand¡££¨Õâ¸ö²½Öè¸úÉÏÃæÄÇÖÖÆ´½ÓSQLµÄ°ì·¨ÊÇÒ»ÑùµÄ¡££©
ÏÂÃæÊÇÒ»¸öÀý×Ó£º
  string sql = "SELECT T2.dep_code, T2.dep_name from DEP ";
 sql += " WHERE T2.dep_name like ('%'+ <STRONG>@Param</STRONG> + '%') ";
 SqlCommand sqlCommand = new SqlCommand(sql,cn);
 sqlCommand.Parameters.Add(new SqlParameter("Param",s);
ÆäÖеÄ@Param¾ÍÊDzÎÊýÃû£¬sÔòÊÇÓû§ÊäÈëµÄ²éѯÌõ¼þ×Ö´®¡£
£¨Ë³±