SQL注入攻击及解决方案

一, 定义:所谓SQL注入攻击是应用程序开发人员未预期地把SQL代码传入到应用程序的过程,只有那些直接使用用户提供的值构造SQL语句的应用程序才会受影响.

例如原SQL代码为:

select Orders.CustomerID,Orders.OrderID,Count(UnitPrice) as Items,SUM(UnitPrice*Quantity) as Total from Orders INNER JOIN [Order Details]on Orders.OrderID=[Order Details].OrderID 
where Orders.CustomerID='"+txtId.Text+"' GROUP BY Orders.OrderID,Orders.CustomerID

解决方案:采用参数化命令:

　　如使用参数化命令重写前面的代码为:

protected void btnQuery_Click(object sender, EventArgs e)
        {
            string conStr = WebConfigurationManager.ConnectionStrings["Northwind"].ConnectionString;
            SqlConnection con = new SqlConnection(conStr);
            con.Open();
            string strSql = "select Orders.CustomerID,Orders.OrderID,Count(UnitPrice) as Items,SUM(UnitPrice*Quantity) as Total from Orders INNER JOIN [Order Details]on Orders.OrderID=[Order Details].OrderID where Orders.CustomerID=@CustomerID GROUP BY Orders.OrderID,Orders.CustomerID";
            SqlCommand cmd = new SqlCommand(strSql, con);
            cmd.Parameters.AddWithValue("@CustomerID", txtId.Text.Trim().ToString());
            SqlDataReader reader = cmd.ExecuteReader();
            GridView1.DataSource = reader;
            GridView1.DataBind();
            reader.Close();
            con.Close();
        }

这样就可以避免SQL注入攻击.