动态构建sql,不可sql注入
CREATE PROCEDURE [dbo].[MemberTestSelect2]
(
@UserName nvarchar(50),
@Password nvarchar(50)
)
AS
BEGIN
SET NOCOUNT ON
DECLARE @Err int
DECLARE @sqlString nvarchar(1000)
SELECT @sqlString =’SELECT * FROM [MemberTest] WHERE [UserName] = @UserName AND [Password]= @Password’
SELECT @sqlString
Exec sp_executesql @sqlString, N’@UserName nvarchar(50),@Password nvarchar(50)’,@UserName, @Password
SET @Err = @@Error
RETURN @Err
END
GO
===========================
动态构建sql,可sql注入
CREATE PROCEDURE [dbo].[MemberTestSelect2]
(
@UserName nvarchar(50),
@Password nvarchar(50)
)
AS
BEGIN
SET NOCOUNT ON
DECLARE @Err int
DECLARE @sqlString nvarchar(1000)
SELECT @sqlString =’SELECT * FROM [MemberTest] WHERE [UserName] = ”’+@UserName+”’ AND [Password]= ”’+@Password+””
SELECT @sqlString
Exec (@sqlString)
SET @Err = @@Error
RETURN @Err
END
GO
=========================
不可入侵,原因,字符类型长度50, 非动态构建,不可再在里面写入or,exe等语句,即无注入点
CREATE PROCEDURE [dbo].[MemberTestSelect]
(
@UserName nvarchar(50),
@Password nvarchar(50)
)
AS
BEGIN
SET NOCOUNT ON
DECLARE @Err int
SELECT *
FROM [MemberTest]
WHERE
([UserName] = @UserName AND
[Password]= @Password)
SET @Err = @@Error
RETURN @Err
END
GO
========================
SELECT * FROM MemberTest
SELECT * FROM MemberTest WHERE UserName=’1′ AND Password=’1′ OR 1=1
SELECT * FROM MemberTest WHERE UserName=’1′ AND Password=’1′ OR 1=1–’
Exec MemberTestSelect ‘1′, ‘1′– OR 1=1′
Exec MemberTestSelect2 @UserName=’1′, @Password=’1” OR 1=1–’
======================================
存储过程可以防注入,这是不正确的
什么是注入?
select * from table
不能根据参数不同而动态生成不同的sql语句, 这个语句无论在哪儿都不能注入, 因为没有注入口
select * from table where id=’传进来的变量’
这就叫有注入口 , 所有无论用sql语句还是sp都一样
存储过程也可注入, 只要是动态生成的,有注入口,(如2例)
但是一般存储过程的参数时,有长度,类型限止的,且一般都不是动态生成的
本文来自CSDN博客,转载请标明出处:http://blog.csdn.net/cxzhq2002/archive/2008/02/04/2082182.aspx
