2 c# sql sql-server asp.net stored-procedures
我试图通过登录表单对我的存储过程进行sql注入.这是我的存储过程
CREATE proc [dbo].[sp_ADM_Login]
@loginName varchar(25),
@password varchar(100)
)
AS
select
l.LoginId,
l.LoginName,
l.LoginType,
l.RG_cCode,
dbo.GetUserName(l.UserDetailsCode, l.LoginType) as [Name],
isnull(l.DefBranchId, 0) as BranchId,
l.DefBranchCode as branchCode,
l.LoginCode as loginCode
from
ADM_Login l
where
LoginName = @loginName and
[Password] = @password and
l.IsActive = 1
我尝试给用户名user' or 1=1--
但它不起作用.是否可以在此代码中执行sql注入?
要执行存储过程,这是C#代码
Database db = DatabaseFactory.CreateDatabase("ConnectionString");
DbCommand cmd = db.GetStoredProcCommand("sp_ADM_Login");
db.AddInParameter(cmd, "@loginName", DbType.String, loginName);
db.AddInParameter(cmd, "@password", DbType.String, password);
DbDataReader dr = (DbDataReader)db.ExecuteReader(cmd);
不,只要您使用参数从C#代码中调用它们,就无法使用正确参数化的查询进行SQL注入.如果您自己格式化EXEC sp_ADM_login...SQL字符串,则您很容易受到攻击.
使用适当的参数使用C#代码就可以了.任何奇怪的值都将被正确转义.