整个WHERe子句作为参数将以任何方式成为sql注入的受害者。为避免这种情况,您最好:
设置适当的权限。因此,即使在注入sql的情况下,用户也无法访问未授予的任何内容。在这种情况下,@
Dhaval的示例更好,因为封装在存储过程中的动态sql生成需要较少的执行权限。
检查语句以进行sql注入。最简单的方法是检查分号,以避免在批处理中出现其他语句。更复杂,更精确的方法是使用t-sql DOM解析器。例如:
using Microsoft.SqlServer.TransactSql.scriptDom;TSql110Parser parser = new TSql110Parser(true);IList<ParseError> errors = null;var condition = "a > 100; delete from [Recipes]";var script = parser.Parse(new StringReader("select [RecipeID] from [Recipes] where " + condition), out errors) as TSqlscript;if (errors.Count > 0){ throw new Exception(errors[0].Message);}foreach (var batch in script.Batches){ if (batch.Statements.Count == 1) { var select = batch.Statements[0] as SelectStatement; if (select != null) { QuerySpecification query = select.Queryexpression as QuerySpecification; if (query.WhereClause is BooleanBinaryexpression) { ... } } else { throw new Exception("Select statement only allowed"); } } else { throw new Exception("More than one statement detected"); }}
