0

如何防止输入参数中的 SQL 攻击?不安全字符 ('")

我有以下存储过程:

我想保护输入 - @NICKNAME_USER、@PASSWORD_USER

IF  EXISTS (SELECT * FROM sys.objects WHERE object_id = OBJECT_ID(N'[dbo].[SP_AUTH]') AND type in (N'P', N'PC'))
DROP PROCEDURE [dbo].[SP_AUTH]
GO

CREATE PROCEDURE [dbo].[SP_AUTH]    (@ACTION    INT = NULL,
                                     @NICKNAME_USER VARCHAR(250) = NULL,
                                     @PASSWORD_USER VARCHAR(250) = NULL)
AS
BEGIN TRY
    IF @ACTION = 'L'
         BEGIN

    SELECT  U.ID AS ID_USER, 
            U.NICKNAME AS NICKNAME
            FROM dbo.T_USERS AS U WITH (NOLOCK)
            WHERE U.NICKNAME = @NICKNAME_USER
            AND U.PASSWORD = @PASSWORD_USER
   END
END TRY
BEGIN CATCH

    DECLARE @ErrorMessage NVARCHAR(4000),
            @ErrorSeverity INT,
            @ErrorState INT

    SELECT 
        @ErrorMessage = ERROR_MESSAGE(),
        @ErrorSeverity = ERROR_SEVERITY(),
        @ErrorState = ERROR_STATE();

    RAISERROR (@ErrorMessage, -- Message text.
               @ErrorSeverity, -- Severity.
               @ErrorState -- State.
               );
END CATCH
4

1 回答 1

4

仅使用带参数的过程将阻止您进行 sql 注入。有关 msdn 的更多信息,请点击此处

于 2012-05-12T11:04:51.950 回答