1. 技术文章
  2. SQL Injection with Parameterized Queries in ASP.NET

SQL Injection with Parameterized Queries in ASP.NET

喜你入骨 提交于 2019-12-11 20:12:17

问题


So I have a bit of a problem. On a website I am developing I allow people to type in an address, once they hit a save button the address they type gets stored in my database.

I was (mistakenly) under the impression that using parameterized queries would help prevent SQL injection, here is my code once they press "save"

SqlConnection Conn = new SqlConnection(@"Data Source=**********;Initial Catalog=********;Persist Security Info=True;User ID=******;Password=*********");
SqlCommand updateMeeting = new SqlCommand(@"UPDATE [*******].[dbo].[**********] SET Title=@title, Date=@date, Location=@location, Announcement=@announcement WHERE Title = '" + commands[1] + "' AND Date = '" + Convert.ToDateTime(commands[2]) + "' AND Location = '" + commands[3] + "'", Conn);
updateMeeting.Parameters.AddWithValue("@title", newTitle);
updateMeeting.Parameters.AddWithValue("@date", newDate);
updateMeeting.Parameters.AddWithValue("@location", newLocation);
updateMeeting.Parameters.AddWithValue("@announcement", newBody);
updateMeeting.Connection.Open();
updateMeeting.ExecuteNonQuery();
updateMeeting.Connection.Close();

newTitle, newDate, newLocation and newBody are just string variables taken from their associated text boxes.

Rest assured that the commands array is sanitized. That's not where my injection problem comes into play.

and yet if I enter the following into my "location" text box the injection attack succeeds and a row gets added to my database

');INSERT INTO [********].[dbo].[*********] (Title) VALUES ('Injection'); --

So clearly I've missed something or I'm not understanding how these parameterized queries work. Isn't the entire point of this thing to make sure that the VarChar value for "location" is simply "');INSERT INTO [****].[dbo].[******] (Title) VALUES ('Injection'); --"

Shouldn't the injection attack fail?


回答1:


You're really close - you have parameterized the values you are updating with, but not the values in your WHERE clause. Try something like this instead:

SqlConnection Conn = new SqlConnection(@"Data Source=**********;Initial Catalog=********;Persist Security Info=True;User ID=******;Password=*********");
SqlCommand updateMeeting = new SqlCommand(@"
    UPDATE [*******].[dbo].[**********] 
    SET Title=@title, 
        Date=@date, 
        Location=@location, 
        Announcement=@announcement 
    WHERE Title = @commands1
        AND Date = @commands2
        AND Location = @commands3",
        Conn);
updateMeeting.Parameters.AddWithValue("@title", newTitle);
updateMeeting.Parameters.AddWithValue("@date", newDate);
updateMeeting.Parameters.AddWithValue("@location", newLocation);
updateMeeting.Parameters.AddWithValue("@announcement", newBody);
updateMeeting.Parameters.AddWithValue("@commands1", commands[1]);
updateMeeting.Parameters.AddWithValue("@commands2", Convert.ToDateTime(commands[2]));
updateMeeting.Parameters.AddWithValue("@commands3", commands[3]);
updateMeeting.Connection.Open();
updateMeeting.ExecuteNonQuery();
updateMeeting.Connection.Close();



回答2:


It's not a parameterized query. In your where clause you're just concatenating strings:

"... WHERE Title = '" + commands[1] + "' AND Date = '" + Convert.ToDateTime(commands[2]) + "' AND Location = '" + commands[3] + "'"


来源:https://stackoverflow.com/questions/33179048/sql-injection-with-parameterized-queries-in-asp-net

标签
c#
sql
ASP.NET
sql-injection
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!