我对如何防止 SQL 注入感到困惑,我在网上查看过。我是使用存储过程,还是创建变量,我完全迷失了。
\n\n Try\n connection.Open()\n \xe2\x80\x99we got here so our connection to the db is sound\n chosen = cboBooks.SelectedIndex\n id = customerList(cboCustomers.SelectedIndex)\n isbn = isbnList(cboBooks.SelectedIndex)\n If number <= qty Then\n Dim sql As String\n sql = "INSERT INTO purchase(customer_id, ISBN, store_id, quantity)\n VALUES(" & id & ", " & isbn & ", 1, " & number & ");"\n Dim cmd As New SqlCommand(sql, connection)\n Dim rows As Integer\n rows = cmd.ExecuteNonQuery()\n If rows >= 1 Then\n \xe2\x80\x99now update the inventory to reflect a sale\n sql = "UPDATE inventory SET quantity = (quantity -" & number & ")\n WHERE inventory.ISBN = " & isbn & " AND store_id = 1"\n \xe2\x80\x99define and execute the query command\n Dim cmd2 As New SqlCommand(sql, connection)\n rows = cmd2.ExecuteNonQuery\n每当您连接 sql 并使用用户可以直接访问的变量时,您就会面临 SQL 注入的危险。
在您的情况下,修复可能如下所示:
sql = "INSERT INTO purchase(customer_id, ISBN, store_id, quantity)
VALUES(@id, @isbn , 1, @number);"
Dim cmd As New SqlCommand(sql, connection)
cmd.Parameters.AddWithValue("@id", id )
cmd.Parameters.AddWithValue("@isbn", isbn )
cmd.Parameters.AddWithValue("@number", number)
Dim rows As Integer
rows = cmd.ExecuteNonQuery()
第二个查询如下所示:
sql = "UPDATE inventory SET quantity = (quantity - @number)
WHERE inventory.ISBN = @isbn AND store_id = 1"
Dim cmd2 As New SqlCommand(sql, connection)
cmd2.Parameters.AddWithValue("@number", id )
cmd2.Parameters.AddWithValue("@isbn", isbn )
rows = cmd2.ExecuteNonQuery
通过使用参数,可以对任何恶意代码的字符串进行转义。
其他好的参考:
XKCD 漫画“Bobby Tables”中的 SQL 注入是如何工作的?
编辑:
正如 @AndyLester 在评论中指出的那样,我试图建议的是,使用用户数据连接到可执行代码中是危险的!
| 归档时间: |
|
| 查看次数: |
7262 次 |
| 最近记录: |