如何在OracleAccess访问类中禁止SQL注入
//类似于下面的代码我知道在源头控件中应该防止单引号的输入,但我想在访问类中统一这样做,会省事点。
假如正常的SQL语句是这样的:Select * from test wher id='15'
但黑客假冒为 Select * from test where id='15' or '1'='1'
我怎么把这个假冒的单引号去掉,而不去掉真实需要用到的单引号组呢?
--------------------编程问答-------------------- 只要使用了OracleParameter的话,SQL注入自然就被禁止了。 --------------------编程问答--------------------
using System;
using System.Data;
using System.Configuration;
using System.Web;
using System.Web.Security;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Web.UI.WebControls.WebParts;
using System.Web.UI.HtmlControls;
using System.Data.OracleClient;
namespace DatabaseAccess
{
//
//首先需要添加一个引用,Project/WebSite中有一个Add Reference。。添加一个System.Data.OracleClient;
//用OracleConnection连接Oracle ;
//在Web.config中配置 <add key="Oracle" value="Data Source=xxx;User ID=xxx;Password=xxx"/>;
//<OracleConn>Data Source=xxx;User ID=xxx;Password=xxx"<OracleConn/>
public class OracleAccess
{
public System.Data.OracleClient.OracleConnection conn;
/// <summary>
/// 打开数据库连接
/// </summary>
public void Open()
{
conn = new OracleConnection(System.Configuration.ConfigurationSettings.AppSettings["Oracle"]);
conn.Open();
}
/// <summary>
/// 打开数据库连接,返回cnn
/// </summary>
public OracleConnection OpenConn()
{
conn = new OracleConnection(System.Configuration.ConfigurationSettings.AppSettings["Oracle"]);
conn.Open();
return (conn);
}
/// <summary>
/// 关闭数据库连接
/// </summary>
public void Close()
{
conn.Close();
}
/// <summary>
/// 返回DataSet
/// </summary>
/// <param name="CmdString"></param>
/// <returns></returns>
public DataSet GetDataSet(string sql)
{
Open();
OracleDataAdapter myOda = new OracleDataAdapter();
myOda.SelectCommand = new OracleCommand(sql, conn);
DataSet myDs = new DataSet();
myOda.Fill(myDs);
Close();
return myDs;
}
/// <summary>
/// 返回OleDbDataReader
/// </summary>
/// <param name="CmdString"></param>
/// <returns></returns>
/// <summary>
/// 返回DataSet
/// </summary>
/// <param name="CmdString"></param>
/// <param name="TableName"></param>
/// <returns></returns>
public DataSet GetDataSet(string sql, string TableName)
{
Open();
OracleDataAdapter myOda = new OracleDataAdapter();
myOda.SelectCommand = new OracleCommand(sql, conn);
DataSet myDs = new DataSet();
myOda.Fill(myDs, TableName);
Close();
return myDs;
}
/// <summary>
/// 返回OleDbDataReader
/// </summary>
/// <param name="CmdString"></param>
/// <returns></returns>
public OracleDataReader GetDataReader(string sql)
{
Open();
OracleCommand myCmd = new OracleCommand(sql, conn);
OracleDataReader myOdr = myCmd.ExecuteReader();
return myOdr;
}
/// <summary>
/// 返回影响数据库的行数
/// </summary>
/// <param name="CmdString"></param>
/// <returns></returns>
public int ExecuteSQL(string sql)
{
int RecordsAffected = 0;
try
{
Open();
OracleCommand myCmd = new OracleCommand(sql, conn);
RecordsAffected = myCmd.ExecuteNonQuery();
Close();
}
catch
{
RecordsAffected=0;
}
return RecordsAffected;
}
/// <summary>
/// 返回存储过程是否执行成功
/// </summary>
/// <param name="sql"></param>
/// <returns></returns>
public bool ExecuteStoredProcedure(string storedProcedure)
{
try
{
Open();
OracleCommand myCmd = new OracleCommand(storedProcedure, conn);
//myCmd.CommandType = CommandType.StoredProcedure;
myCmd.ExecuteNonQuery();
Close();
return true;
}
catch
{
return false;
}
}
/// <summary>
/// 邦定DroDownList
/// </summary>
/// <param name="DroDList"></param>控件名
/// <param name="sql"></param>连接字符串
/// <param name="TableName"></param>表名
/// <param name="DataTextFd"></param>提供文本内容的数据源字段
/// <param name="DataValueFd"></param>为列表项提供值的数据源字段
public void getDropDwonList(DropDownList dropDownList, string sql, string TableName, string DataTextFd, string DataValueFd)
{
Open();
OracleDataAdapter myOda = new OracleDataAdapter(sql, conn);
myOda.SelectCommand.CommandType = CommandType.Text;
DataSet myDs = new DataSet();
try
{
myOda.Fill(myDs, TableName);
dropDownList.DataSource = myDs.Tables[TableName];
dropDownList.DataTextField = DataTextFd;
dropDownList.DataValueField = DataValueFd;
dropDownList.DataBind();
}
finally
{
Close();
}
}
////////////////////////////////////////////////
public int GetRecordCount(string keyField, string tableName, string condition)
{
int RecordCount = 0;
string sql = "select count(" + keyField + ") as count from " + tableName + " " + condition;
DataSet ds = GetDataSet(sql);
if (ds.Tables[0].Rows.Count > 0)
{
RecordCount = Convert.ToInt32(ds.Tables[0].Rows[0][0]);
}
ds.Clear();
ds.Dispose();
return RecordCount;
}
/// <summary>
/// 统计某表记录总数
/// </summary>
/// <param name="Field">可重复的字段</param>
/// <param name="tableName">数据库.用户名.表名</param>
/// <param name="condition">查询条件</param>
/// <param name="flag">字段是否主键</param>
/// <returns>返回记录总数</returns>
public int GetRecordCount(string Field, string tableName, string condition, bool distinctFlag)
{
int RecordCount = 0;
if (distinctFlag)
{
RecordCount = GetRecordCount(Field, tableName, condition);
}
else
{
string sql = "select count(distinct(" + Field + ")) as count from " + tableName + " " + condition;
DataSet ds = GetDataSet(sql);
if (ds.Tables[0].Rows.Count > 0)
{
RecordCount = Convert.ToInt32(ds.Tables[0].Rows[0][0]);
}
ds.Clear();
ds.Dispose();
}
return RecordCount;
}
////////////////////////////////////////////////
}
}
问题是我已经写好,但不想改代码。所以。。。 --------------------编程问答-------------------- 同SQL SERVER一样啊,Parameters会提高安全性防止注入。或者存储过程。
区别就是SQL SERVER是@,ORACLE为: --------------------编程问答--------------------
通过对参数的控制,是防止SQL注入攻击的一个比较好的控制口,对一个sql语句判断其是否存在攻击代码,这是需要分析的,而且对于一个应用系统来说,根本是不现实的。
不知道有什么好的办法了,如果此类sql语句太多,那么你可以考虑写个小工具来替换,否则你干脆花点时间手动改了。 --------------------编程问答-------------------- ''-_ 可以进行转换掉。 --------------------编程问答-------------------- 不了解SQL注入,如果只使用ling to SQL有没有这种危险? --------------------编程问答-------------------- 使用存储过程,通过参数传递
检查字符串参考
--------------------编程问答-------------------- 我先看一下你的BLOG,不知道会不会有用,呵呵
补充:.NET技术 , C#
