SQL预编译防注入小测试
生活随笔
收集整理的這篇文章主要介紹了
SQL预编译防注入小测试
小編覺得挺不錯的,現在分享給大家,幫大家做個參考.
個人對SQL預編譯的認識:
1、效率提升,對SQL語句編譯一次可多次使用.避免了硬解析和軟解析等步驟,當執行的語句上規模的時候性能差異還是很明顯的。
2、安全提升,預編譯之后的SQL語句,語義不會發生變化,安全性有相當大的提升。
?
using System; using System.Collections.Generic; using System.Linq; using System.Text; using System.Data.SqlClient; using System.Data;namespace PreSql {class Program{/** create table test_table ( a nvarchar(20) )insert into test_table(a) values('2');*/const string conStr = @"Password=1qaz!QAZ;Persist Security Info=True;User ID=sa;Initial Catalog=IBatisNet;Data Source=WANGN\CR";static void Main(string[] args){Console.WriteLine("SqlJoin:");SqlJoin();Console.WriteLine();Console.WriteLine("PreSqlTest");PreSqlTest();Console.WriteLine("Completed");Console.Read();}static void SqlJoin(){string sql = "select count(*) from test_table where a='{0}'";string tmpSql = string.Format(sql, "1' or '1'='1");string tmpSql2 = string.Format(sql, "1");using (SqlConnection conn = new SqlConnection(conStr)){if (conn.State != ConnectionState.Open){conn.Open();}SqlCommand com = new SqlCommand(tmpSql, conn);object obj = com.ExecuteScalar();Console.WriteLine("SQL注入成功:" + obj.ToString());SqlCommand com2 = new SqlCommand(tmpSql2, conn);object obj2 = com2.ExecuteNonQuery();Console.WriteLine("正常應返回-1:" + obj2);}}static void PreSqlTest(){string sql = "select count(*) from test_table where a=@id";using (SqlConnection conn = new SqlConnection(conStr)){if (conn.State != ConnectionState.Open){conn.Open();}SqlCommand com = new SqlCommand(sql, conn);com.Parameters.Add(new SqlParameter{DbType = DbType.String,Size = 256,ParameterName = "@id",Value = "1 or 1=1"});object obj = com.ExecuteScalar();Console.WriteLine("SQL注入不成功:" + obj.ToString());SqlCommand com2 = new SqlCommand(sql, conn);com2.Parameters.Add(new SqlParameter{DbType = DbType.String,Size = 256,ParameterName = "@id",Value = "1"});object obj2 = com2.ExecuteNonQuery();Console.WriteLine("正常應返回-1:" + obj2);}}} }執行結果:
SqlJoin:
SQL注入成功:1
正常應返回-1:-1
PreSqlTest
SQL注入不成功:0
正常應返回-1:-1
Completed
轉載于:https://www.cnblogs.com/wangn/p/4170755.html
創作挑戰賽新人創作獎勵來咯,堅持創作打卡瓜分現金大獎總結
以上是生活随笔為你收集整理的SQL预编译防注入小测试的全部內容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: IOS-状态栏的简单操作
- 下一篇: Unity 利用Coroutine实现跳