扫一扫
分享文章到微信
扫一扫
关注官方公众号
至顶头条
最人性化的防止SQL注入函数
由于我们的网站放了防止SQL注入代码,现在只要一出现例如 “or select ”的字符就报错。这样给客户带来不友好的影响。
带参数 连接数据库 执行SQL语句 或者存储过程
C# code
private DataTable ExecuteDataTable(string SqlStr, Hashtable SqlParameters,CommandType temType)
{
String getConnectionString = "Application Name=sss;Initial Catalog=DEVDB;Data Source=10.3.1.218;User ID=sa;password=sa;Pooling=True";
SqlConnection sqlConn = new SqlConnection(getConnectionString);
SqlCommand sqlCmd = new SqlCommand(SqlStr);
SqlDataAdapter sqlDA =new SqlDataAdapter();
DataTable dtSql = new DataTable();
try
{
sqlConn.Open();
sqlCmd.Connection = sqlConn;
sqlCmd.CommandType = temType;
if (SqlParameters != null)
{
IDictionaryEnumerator hsEnum = SqlParameters.GetEnumerator();
while (hsEnum.MoveNext())
{
sqlCmd.Parameters.AddWithValue(hsEnum.Key.ToString(), hsEnum.Value);
}
}
sqlDA.SelectCommand = sqlCmd;
sqlDA.Fill(dtSql);
return dtSql;
}
catch (Exception exExact)
{
string error = exExact.Message;
throw new Exception(error, exExact);
}
finally
{
sqlConn.Close();
}
}
protected void Button2_Click(object sender, EventArgs e)
{
Hashtable htParam = new Hashtable();
htParam.Add("@Language", "Chi");
htParam.Add("@CurrencyCode", "RMB");
htParam.Add("@CurrencyUnit", "1.0");
htParam.Add("@Region", "42");
string sqlstr = "spr_Channellist";
DataTable mytable = ExecuteDataTable(sqlstr, htParam, CommandType.StoredProcedure);
this.GridView1.DataSource = mytable;
GridView1.DataBind();
}
private String ExecuteDataValue(string SqlStr, Hashtable SqlParameters)
{
String getConnectionString = "Application Name=IPTV;Initial Catalog=IPTVDEVDB;Data Source=10.3.1.218;User ID=sa;password=sa;Pooling=True";
SqlConnection sqlConn = new SqlConnection(getConnectionString);
SqlCommand sqlCmd = new SqlCommand(SqlStr);
string strRtrn ;
try
{
sqlConn.Open();
sqlCmd.Connection = sqlConn;
sqlCmd.CommandType = CommandType.Text;
if(SqlParameters != null)
{
IDictionaryEnumerator hsEnum = SqlParameters.GetEnumerator();
while(hsEnum.MoveNext())
{
sqlCmd.Parameters.AddWithValue(hsEnum.Key.ToString(), hsEnum.Value);
}
}
strRtrn = Convert.ToString(sqlCmd.ExecuteScalar());
return strRtrn;
}
catch(Exception exExact)
{
string error = exExact.Message;
throw new Exception(error, exExact);
}
finally
{
sqlConn.Close();
}
}
protected void GridView1_PageIndexChanging(object sender, GridViewPageEventArgs e)
{
GridView1.PageIndex = e.NewPageIndex;
OleDbConnection conn = new OleDbConnection("provider=microsoft.jet.oledb.4.0;data source=" + Server.MapPath("") + "\\CODEDB.mdb");
string sql = "select * from Code ";
OleDbDataAdapter oda = new OleDbDataAdapter(sql, conn);
DataSet ds = new DataSet();
oda.Fill(ds);
this.GridView1.DataSource = ds.Tables[0];
GridView1.DataBind();
}
private bool ProcessSqlStr(string Str)
{
bool ReturnValue = true;
try
{
if (Str.Trim() != "")
{
string SqlStr = "and |exec |insert |select |delete |update |count |* |chr |mid |master |truncate |char |declare";
string[] anySqlStr = SqlStr.Split('|');
foreach (string ss in anySqlStr)
{
if (Str.ToLower().IndexOf(ss) >= 0)
{
ReturnValue = false;
break;
}
}
}
}
catch
{
ReturnValue = false;
}
return ReturnValue;
}
网站本身用的是存储过程
public bool InsertAdmin(string userName, string password, string remark, string mail, int departId, int power)
{
string sql = "insert into S_Admin(UserName,Password,Remark,Mail,DepartId,Power)values(:UserName,:Password,:Remark,:Mail,:DepartId,:Power)";
OracleConnection connection = new OracleConnection();
connection.ConnectionString = "";//此处设置链接字符串
OracleCommand command = new OracleCommand(sql, connection);
command.Parameters.Add(":UserName", OracleType.NVarChar, 60).Value = userName;
command.Parameters.Add(":Password", OracleType.NVarChar, 60).Value =password;
command.Parameters.Add(":Remark", OracleType.NVarChar, 60).Value = remark;
command.Parameters.Add(":Mail", OracleType.NVarChar, 60).Value =mail;
command.Parameters.Add(":DepartId", OracleType.Int32, 4).Value =departId;
command.Parameters.Add(":Power", OracleType.Int32, 4).Value = power;
connection.Open();
int rowsAffected=command.ExecuteNonQuery();
connection.Close();
command.Dispose();
return rowsAffected > 0;
}
}
如果您非常迫切的想了解IT领域最新产品与技术信息,那么订阅至顶网技术邮件将是您的最佳途径之一。
现场直击|2021世界人工智能大会
直击5G创新地带,就在2021MWC上海
5G已至 转型当时——服务提供商如何把握转型的绝佳时机
寻找自己的Flag
华为开发者大会2020(Cloud)- 科技行者