SQL预编译防注入小测试

浏览数：16 / 时间：2015年06月12日

个人对SQL预编译的认识:

1、效率提升,对SQL语句编译一次可多次使用.避免了硬解析和软解析等步骤，当执行的语句上规模的时候性能差异还是很明显的。
2、安全提升,预编译之后的SQL语句,语义不会发生变化,安全性有相当大的提升。

using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Data.SqlClient;
using System.Data;

namespace PreSql
{
    class Program
    {
        /*
         * create table test_table
(
a nvarchar(20)
)


insert into test_table(a) values(‘2‘);*/
        const string conStr = @"Password=1qaz!QAZ;Persist Security Info=True;User ID=sa;Initial Catalog=IBatisNet;Data Source=WANGN\CR";
        static void Main(string[] args)
        {

            Console.WriteLine("SqlJoin:");
            SqlJoin();
            Console.WriteLine();
            Console.WriteLine("PreSqlTest");
            PreSqlTest();

            Console.WriteLine("Completed");

            Console.Read();
        }

        static void SqlJoin()
        {
            string sql = "select count(*) from test_table where a=‘{0}‘";
            string tmpSql = string.Format(sql, "1‘ or  ‘1‘=‘1");
            string tmpSql2 = string.Format(sql, "1");

            using (SqlConnection conn = new SqlConnection(conStr))
            {
                if (conn.State != ConnectionState.Open)
                {
                    conn.Open();
                }
                SqlCommand com = new SqlCommand(tmpSql, conn);
                object obj = com.ExecuteScalar();
                Console.WriteLine("SQL注入成功:" + obj.ToString());

                SqlCommand com2 = new SqlCommand(tmpSql2, conn);
                object obj2 = com2.ExecuteNonQuery();
                Console.WriteLine("正常应返回-1:" + obj2);
            }
        }
        static void PreSqlTest()
        {
            string sql = "select count(*) from test_table where a=@id";
            using (SqlConnection conn = new SqlConnection(conStr))
            {
                if (conn.State != ConnectionState.Open)
                {
                    conn.Open();
                }
                SqlCommand com = new SqlCommand(sql, conn);
                com.Parameters.Add(new SqlParameter
                {
                    DbType = DbType.String,
                    Size = 256,
                    ParameterName = "@id",
                    Value = "1 or 1=1"
                });
                object obj = com.ExecuteScalar();
                Console.WriteLine("SQL注入不成功:" + obj.ToString());

                SqlCommand com2 = new SqlCommand(sql, conn);
                com2.Parameters.Add(new SqlParameter
                {
                    DbType = DbType.String,
                    Size = 256,
                    ParameterName = "@id",
                    Value = "1"
                });
                object obj2 = com2.ExecuteNonQuery();
                Console.WriteLine("正常应返回-1:" + obj2);
            }
        }
    }
}