0

MyI created a form that should gather information from data. This data may include random characters including " ' and so on. My question is how do I insert data safely without having sql injection attacks and where could i insert escape characters so that this form does not throw errors whenever a characters like ' "/ and so on are inserted.

Here is my code so far:

   public string InsertRecordSet()
    {        

        source = new FileInfo(@"c:\scripts\db_connection.txt");
        stream = source.OpenText();
        String text = stream.ReadLine();
        stream.Close();
        String uid = text.Substring(0, text.IndexOf(":"));
        String pw = text.Substring(text.IndexOf(":") + 1, (text.Length - uid.Length - 1));
        String connectionString = "dsn=" + "db" + "; uid=" + uid + "; pwd=" + pw + ";";
        String statement = "INSERT INTO table (SubmitDate, FirstName, LastName, Email, Phone, Major, Description, HearAbout) VALUES (@SubmitDate, @FirstName, @LastName, @Email, @Phone, @Major, @Description, @HearAbout)";                    

        conn = new OdbcConnection(connectionString);

        command = new OdbcCommand(statement, conn);

        command.Parameters.AddWithValue("@SubmitDate", DateTime.Now);
        command.Parameters.AddWithValue("@FirstName", txtFname.Text);
        command.Parameters.AddWithValue("@LastName", txtLname.Text);
        command.Parameters.AddWithValue("@Email", txtEmail.Text);
        command.Parameters.AddWithValue("@Phone", txtPhone.Text);
        command.Parameters.AddWithValue("@Major", txtMajor.Text);
        command.Parameters.AddWithValue("@Desciption", txtDescription.Text);
        command.Parameters.AddWithValue("@HearAbout", txtMaxwell.Text);

        conn.Open();
        try
        {               
            command.ExecuteNonQuery();
            return "true";
        }
        catch (OdbcException oe)
        {
            _dbError = true;
            Session.Contents.Add("USIFormException", oe);
            return (oe.ToString());
        }
        finally
        {
            conn.Close();
        }
    }
4

2 回答 2

1

对于 SQL 注入保护,不要使用内联 SQL,而是使用参数化 SQL。

参数化 SQL 可以防止 SQL 注入,因为它只允许值(或参数)成为字符串的一部分,而不是任何东西。例如,你不能DROP TABLE xyz在你的参数化 SQL 字符串中,因为Command对象知道那不是一个合法的参数值。

所以代替这段代码:

String statement = "INSERT INTO MyTable(SubmitDate, FirstName, LastName, Email, Phone, Major, Description, HearAbout)";                    
statement += "VALUES (";
statement += "'" + DateTime.Now.ToShortDateString() + "',";
statement += "'" + txtFname.Text + "', ";  

conn = new OdbcConnection(connectionString);

command = new OdbcCommand(statement, conn);

你应该有这样的代码:

String statement = String statement = "INSERT INTO MyTable(SubmitDate, FirstName, LastName, Email, Phone, Major, Description, HearAbout) VALUES (@SubmitDate, @FirstName)";

command.Parameters.Add("@SubmitDate", DateTime.Now.ToShortDateString());
command.Parameters.Add("@FirstName", txtFname.Text);

注意:如果您的数据库逻辑正在执行动态 SQL,参数化查询将无法完全保护您免受 SQL 注入,因此也要避免这种情况。

于 2013-08-24T17:29:30.100 回答
0

您应该使用参数化值。

string query =  "INSERT INTO MyTable(SubmitDate, FirstName, LastName, Email, Phone, Major, Description, HearAbout)";                    
query += " VALUES (@SubmitDate, @FirstName, @LastName, @EMail, @Phone, @Major, @Description, @HearAbout)";
conn = new OdbcConnection(connectionString);
command = new OdbcCommand(query, conn);
command.Parameters.AddWithValue("@SubmitDate", DateTime.Now.ToShortDateString());
command.Parameters.AddWithValue("@FirstName",  txtFname.Tex);
...

conn.Open();
command.ExecuteNonQuery();

http://msdn.microsoft.com/en-us/library/system.data.odbc.odbccommand.aspx

http://msdn.microsoft.com/en-us/library/system.data.odbc.odbcparametercollection.aspx

于 2013-08-24T17:30:04.027 回答