-2

各位程序员们下午好,我在这里遇到了一个错误。当我输入如下随机字符时,您会看到我的搜索崩溃:%^&*&%。这是错误以及搜索代码,请参见下文:

“/”应用程序中的服务器错误。

Like 运算符中的错误:字符串模式 '%$%^$&^%' 无效。

说明:执行当前 Web 请求期间发生未处理的异常。请查看堆栈跟踪以获取有关错误及其源自代码的位置的更多信息。

异常详细信息:System.Data.EvaluateException:Like 运算符中的错误:字符串模式“%$%^$&^%”无效。

源错误:

在执行当前 Web 请求期间生成了未处理的异常。可以使用下面的异常堆栈跟踪来识别有关异常起源和位置的信息。

堆栈跟踪:

[EvaluateException:Like 运算符中的错误:字符串模式 '%$%^$&^%' 无效。] System.Data.LikeNode.AnalyzePattern(String pat) +1277726 System.Data.LikeNode.Eval(DataRow row, DataRowVersion版本)+341 System.Data.BinaryNode.Eval(ExpressionNode expr,DataRow 行,DataRowVersion 版本,Int32[] recordNos)+20
System.Data.BinaryNode.EvalBinaryOp(Int32 op,ExpressionNode 左,ExpressionNode 右,DataRow 行,DataRowVersion 版本, Int32[] recordNos) +12960 System.Data.BinaryNode.Eval(DataRow row, DataRowVersion version) +25
System.Data.BinaryNode.Eval(ExpressionNode expr, DataRow row, DataRowVersion version, Int32[] recordNos) +20
System.Data.BinaryNode.EvalBinaryOp(Int32 op, ExpressionNode left, ExpressionNode right, DataRow row, DataRowVersion version, Int32[] recordNos) +12960 System.Data.BinaryNode.Eval(DataRow row, DataRowVersion version) +25
System.Data。 BinaryNode.Eval(ExpressionNode expr, DataRow row, DataRowVersion version, Int32[] recordNos) +20
System.Data.BinaryNode.EvalBinaryOp(Int32 op, ExpressionNode left, ExpressionNode right, DataRow row, DataRowVersion version, Int32[] recordNos) +12960 System.Data.BinaryNode.Eval(DataRow row, DataRowVersion version) +25
System.Data.BinaryNode.Eval(ExpressionNode expr, DataRow row, DataRowVersion version, Int32[] recordNos) +20
System.Data.BinaryNode.EvalBinaryOp(Int32 op, ExpressionNode left, ExpressionNode right, DataRow row, DataRowVersion version, Int32[] recordNos) +12960 System.Data.BinaryNode.Eval(DataRow row, DataRowVersion version) +25
System.Data。 BinaryNode.Eval(ExpressionNode expr, DataRow row, DataRowVersion version, Int32[] recordNos) +20
System.Data.BinaryNode.EvalBinaryOp(Int32 op, ExpressionNode left, ExpressionNode right, DataRow row, DataRowVersion version, Int32[] recordNos) +12960 System.Data.BinaryNode.Eval(DataRow 行,DataRowVersion 版本) +25
System.Data.DataExpression.Invoke(DataRow 行,DataRowVersion 版本)+145 System.Data.Index.AcceptRecord(Int32 记录,IFilter 过滤器)+101 System.Data.Index.InitRecords(IFilter 过滤器)+297 System.Data.Index ..ctor(DataTable table, IndexField[] indexFields, Comparison`1 比较, DataViewRowState recordStates, IFilter rowFilter) +464 System.Data.DataTable.GetIndex(IndexField[] indexDesc, DataViewRowState recordStates, IFilter rowFilter) +212
System.Data。 DataView.UpdateIndex(布尔力,布尔fireEvent)+159 System.Data.DataView.UpdateIndex(布尔力)+12 System.Data.DataView.SetIndex2(字符串newSort,DataViewRowState newRowStates,IFilter newRowFilter,布尔fireEvent)+108
System.Data.DataView.SetIndex(String newSort, DataViewRowState newRowStates, IFilter newRowFilter) +14
System.Data.DataView.set_RowFilter(String value) +158
System.Web.UI.WebControls.FilteredDataSetHelper.CreateFilteredDataView(DataTable table, String sortExpression, String filterExpression, IDictionary filterParameters) +387
System.Web.UI.WebControls.SqlDataSourceView.ExecuteSelect(DataSourceSelectArguments arguments) +1830
System.Web.UI.DataSourceView.Select(DataSourceSelectArguments arguments, DataSourceViewSelectCallback 回调) +21
System.Web.UI.WebControls .DataBoundControl.PerformSelect() +138
System.Web.UI.WebControls.BaseDataBoundControl.DataBind() +30
System.Web.UI.WebControls.GridView.DataBind() +4
System.Web.UI.WebControls.BaseDataBoundControl.EnsureDataBound() +105 System.Web.UI.WebControls.CompositeDataBoundControl.CreateChildControls() +75 System.Web.UI.Control.EnsureChildControls() +83 System.Web.UI.Control .PreRenderRecursiveInternal() +42
System.Web.UI.Control.PreRenderRecursiveInternal() +168
System.Web.UI.Control.PreRenderRecursiveInternal() +168
System.Web.UI.Control.PreRenderRecursiveInternal() +168
System.Web.UI .Control.PreRenderRecursiveInternal() +168
System.Web.UI.Control.PreRenderRecursiveInternal() +168
System.Web.UI.Page.ProcessRequestMain(布尔includeStagesBeforeAsyncPoint,布尔includeStagesAfterAsyncPoint) +974

代码是:

 public static bool IsDate(Object obj)
        {
            string strDate = obj.ToString();
            try
            {
                DateTime dt = DateTime.Parse(strDate);
                if (dt != DateTime.MinValue && dt != DateTime.MaxValue)
                    return true;
                return false;
            }
            catch
            {
                return false;
            }
        }


 protected void BtnWinnersSearch_Click(object sender, EventArgs e)
        {

            string searchText = txtWinnersSearch.Text.Replace("'", "''").Trim();
            bool isDate = IsDate(searchText);

            GridViewWinners.Visible = true;

            if (isDate == true)
            {
                SqlDataSource4.FilterExpression = "dob" + " ='" + Convert.ToDateTime(searchText).ToString("yyyy-MM-dd") + "'";
            }
            else
            {
                SqlDataSource4.FilterExpression = "nickname like '%" + searchText + "%' or username like '%" + searchText +
                    "%' or clubnumber like '%" + searchText + "%' or firstname like '%" +
                    searchText + "%' or lastname like '%" + searchText +
                    "%' or email like '%" + searchText + "%'";
            }
        }

enter image description here

4

1 回答 1

2

现在你的代码很容易受到 SQL 注入攻击。

Switch to using parameterized queries and I suspect it will fix your problem (as well as fix a huge security vulnerability you have right now...). I'm guessing there is some value that is not being properly escaped when you submit "random characters".

Here is an excellent link to get you started with parameterized queries.

于 2013-07-19T20:55:13.793 回答