-2

计划使用:

例如 :

tableName = TableCustomers 
column1 = UserName
column2 = UserMail
-- SP name ......and as zero will select all *, 'firstColName'....
SelectFromGivenTableWithOptionalGivenColumn, 0, 'UserName', '', 'AnyUserName', ''

SSMS或者更好地从生成的执行脚本中复制

USE [KwPos]
GO

DECLARE @return_value int

EXEC    @return_value = [dbo].[SelectFromGivenTableWithOptionalGivenColumns]
    @tableName = 'TableCustomers',
    @zeroForAllTable = 0,
    @Column = 'UserName',
    @Column2 = '',
    @ColVal = 'AnyUserName',
    @ColVal2 = ''

错误 

Invalid column name 'AnyUserName'.

这是 SP 的 SQL(尝试使用SysName&列的两个名称nvarchar导致相同的错误)

SET ANSI_NULLS ON
GO
SET QUOTED_IDENTIFIER ON
GO
ALTER PROCEDURE [dbo].[SelectFromGivenTableWithOptionalGivenColumns] 
    @tableName sysname ='', 
    @zeroForAllTable bit = 0,
    @Column sysname = '',
    @Column2 sysname = '',  
    @ColVal varchar(111) = '',
    @ColVal2 varchar(111) = ''
AS
BEGIN
    SET NOCOUNT ON;

    declare @q varchar(1000)
    if(@zeroForAllTable !=0)
        begin
            if(@Column !='' AND @Column2 !='')
                begin
                    if(@Column != '' AND @ColVal !='' AND @Column2 != '' AND @ColVal2 !='')
                        begin   
                            set @q= 'SELECT ' + @Column + ' FROM ' + @tableName + ' where ' + @Column + ' = ' + @ColVal + ' AND ' + @Column2 + ' = ' + @ColVal2;
                        end
                    else if(@Column !='' AND @ColVal ='')
                        begin
                            set @q = 'SELECT '+ @Column +' FROM ' + @tableName;
                        end
                end
            else
            if(@Column !='' AND @Column = '')
                begin
                    if(@Column != '' AND @ColVal !='')
                        begin   
                            set @q= 'SELECT ' + @Column + ' FROM ' + @tableName + ' where ' + @Column + ' = ' + @ColVal;
                        end
                    else if(@Column !='' AND @ColVal ='')
                        begin
                            set @q = 'SELECT '+ @Column + ' FROM ' + @tableName;
                        end
                end
        end
    else
        begin
            if(@Column !='' AND @Column2 !='')
                begin
                    if(@Column != '' AND @ColVal !='')
                        begin   
                            set @q= 'SELECT * FROM ' + @tableName + ' where ' + @Column+ ' = ' + @ColVal + ' AND ' + @Column2 + ' = ' + @ColVal2;
                        end
                    else if(@Column !='' AND @ColVal ='')
                        begin
                            set @q = 'SELECT * FROM ' + @tableName;
                        end
                end
            else
            if(@Column !='' AND @Column2 = '')
                begin
                    if(@Column != '' AND @ColVal !='')
                        begin   
                            set @q= 'SELECT * FROM ' + @tableName + ' where ' + @Column + ' = ' + @ColVal;
                        end
                    else if(@Column !='' AND @ColVal ='')
                        begin
                            set @q = 'SELECT * FROM ' + @tableName;
                        end
                    else 
                        begin
                            set @q = 'SELECT * FROM ' + @tableName;
                        end
                end
        end

    exec (@q)

END
GO
4

2 回答 2

1

好吧,您只是做了与停止 SQL 注入相反的操作。通过在不正确编码值的情况下动态创建查询,您可能会为 SQL 注入打开一个巨大的漏洞。

您尝试创建的查询将是:

SELECT * FROM TableCustomers where UserName = 'AnyUserName'

但是您创建了:

SELECT * FROM TableCustomers where UserName = AnyUserName

您可以添加缺少的撇号,但注入孔仍然打开。假设用户名是从用户输入的,而不是输入AnyUserName他输入';drop table TableCustomers;--,那么查询将是:

SELECT * FROM TableCustomers where UserName = '';drop table TableCustomers;--'

哎呀,你的桌子不见了。

(强制性 XKCD 参考:http: //xkcd.com/327/

于 2013-07-07T00:16:23.467 回答
0

取自此链接 (第三个示例)

这段代码足够安全吗?

DECLARE @sqlCommand nvarchar(1000)
DECLARE @columnList varchar(75)
DECLARE @city varchar(75)
SET @columnList = 'CustomerID, ContactName, City'
SET @city = 'London'
SET @sqlCommand = 'SELECT ' + @columnList + ' FROM customers WHERE City = @city'
EXECUTE sp_executesql @sqlCommand, N'@city nvarchar(75)', @city = @city

我的意思是......你还能轻松地在这里杀死一些数据吗?

于 2013-07-07T00:46:12.953 回答