问题
I have an asp.net application. In which i have this code:
using (Data.connexion)
{
string queryString = @"select id_user , nom, prenom, mail, login, mdp, last_visite, id_group, id_user_status from USERS where login =@login and mdp=@mdp";
SqlCommand command = new SqlCommand(queryString, Data.connexion);
command.Parameters.AddWithValue("@login", _login);
command.Parameters.AddWithValue("@mdp", _password.GetHashCode().ToString());
try
{
SqlDataReader reader = command.ExecuteReader();
do
{
while (reader.Read())
{
return View("Success");
}
} while (reader.NextResult());
}
catch { }
}
When i try a Sql injection attack using this login '' or 1=1 -- , the attack is failed. but if i change the snippet by this one :
using (Data.connexion)
{
string queryString = @"select id_user , nom, prenom, mail, login, mdp, last_visite, id_group, id_user_status from USERS where login =" + _login + " and mdp=" + _password.GetHashCode().ToString();
SqlCommand command = new SqlCommand(queryString, Data.connexion);
// command.Parameters.AddWithValue("@login", _login);
// command.Parameters.AddWithValue("@mdp", _password.GetHashCode().ToString());
try
{
SqlDataReader reader = command.ExecuteReader();
do
{
while (reader.Read())
{
return View("Success");
}
} while (reader.NextResult());
}
catch { }
}
I'm redirected to the view success so the attack is succed.
What is the difference between the two ways of coding? What are the best ways to prevent and avoid an Sql injection attack?
回答1:
Always use command parameters to avoid sql injection. Sql injections are handled by Command Parameter automatically. You don't need to worry about sql injection if you use command parameters.
When you don't use command parameters, the parameters' values are simply inserted in sql query without handling sql injection. But when you use command parameters, ADO.Net handles sql injection for you.
回答2:
The best way to protect against SQL injection is to use parameterised queries.
You can make it as safe when concatenating values into a string, but you have to do it exactly right, and the exact method differs between database brands.
For SQL Server, you would encode the string values by doubling any apostrophes in the string. That way any apostrophes would be interpreted correctly by the database, and it would not be possible to use apostrophes to break out of the string:
string queryString = "select id_user, nom, prenom, mail, login, mdp, last_visite, id_group, id_user_status from USERS where login = '" + _login.Replace("'","''") + "' and mdp = '" + _password.GetHashCode().ToString().Replace("'","''") + "'";
But, it's still easier to use parameterised queries, then the database driver does this for you. If you try to handle the encoding yourself, and doesn't get it right, then you are in a worse place, because you think that the problem is handled but it can be wide open to SQL injection attacks.
Side note: The String.GetHashCode method is not suited for things like hashing passwords. The implementation of the method can change in the future (as it has in the past), which would make all hashed passwords in the database useless.
"Do not serialize hash code values or store them in databases." -- http://msdn.microsoft.com/en-us/library/system.string.gethashcode.aspx
来源:https://stackoverflow.com/questions/18596803/avoiding-an-sql-injection-attack