sql注入问题
我有以下代码片段。
SqlCommand cmd = new SqlCommand("SELECT FName,LName FROM EMPLOYEE_TABLE WHERE EmployeeID = '" +TextBox1.Text + "' AND Password = '"+ TextBox2.Text +"'", con);
SqlDataReader x = cmd.ExecuteReader();
try
{
if (x.Read())
{
name = (string)x["FName"] +' '+ (string)x["LName"];
Session["NAME"] = name;
Session["ID"] = TextBox1.Text;
Response.Redirect("sample.aspx?action=On_Click");
}
else
{
errormsg.Text = "login failed.Please enter Valid UserID and Password";
errormsg.ForeColor = System.Drawing.Color.Red;
}
}
catch (Exception exp)
{
errormsg.Text = "Sorry,You dont have access to this portal.";
}
finally
{
x.Close();
con.Close();
}
现在,当我使用有效的 ID(存在)和密码作为 abc' 或 'x'='x 时,它会登录到数据库中表的第一个帐户。到这为止就好了。
但是,当我尝试调试代码时,它会抛出错误无法计算表达式,因为代码已优化或本机框架位于调用堆栈顶部。。
另外,如果它抛出错误,那么为什么它要登录数据库的第一个帐户。注意:数据库的第一个帐户的用户 ID 与我提供的用户 ID 不同。
注:我是这个应用程序的开发者。所以我没有做任何违法的事情。 :)
I have the following code snippet.
SqlCommand cmd = new SqlCommand("SELECT FName,LName FROM EMPLOYEE_TABLE WHERE EmployeeID = '" +TextBox1.Text + "' AND Password = '"+ TextBox2.Text +"'", con);
SqlDataReader x = cmd.ExecuteReader();
try
{
if (x.Read())
{
name = (string)x["FName"] +' '+ (string)x["LName"];
Session["NAME"] = name;
Session["ID"] = TextBox1.Text;
Response.Redirect("sample.aspx?action=On_Click");
}
else
{
errormsg.Text = "login failed.Please enter Valid UserID and Password";
errormsg.ForeColor = System.Drawing.Color.Red;
}
}
catch (Exception exp)
{
errormsg.Text = "Sorry,You dont have access to this portal.";
}
finally
{
x.Close();
con.Close();
}
Now, when i use a valid id (that exists) and password as abc' or 'x'='x then it logs in into the first account of the table in the database. Till this it's fine.
However when I try to debug the code, it throws an error Unable to evaluate expression because the code is optimized or a native frame is on top of the call stack..
Also if it is throwing an error then why is it logging into this 1st account of the database. Note: the first account of the database has a different userid than that which i m providing.
Note: I am the developed of this application. So I'm not doing anything illegal. :)
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
看看你的SQL的这一部分:
有了你的密码,这
不是你想要的SQL。
即使您尝试进行 SQL 注入,也必须生成有效的 SQL。通常,在结束引用后用分号结束语句。请参阅:
http://xkcd.com/327/
Look at this part of your SQL:
With your password, it's
which is not the SQL you want.
Even if you are trying to do SQL injection, you have to result in valid SQL. Usually, it's by ending the statement with a semi-colon after closing the quote. See this:
http://xkcd.com/327/
好的,根据您遇到的主要问题提供答案(正如您所说,您是 SQL 注入问题的新手)。
SQL 注入是由于在构建过程中使用用户输入动态构建 SQL 查询而引起的。 .Net 中最简单的解决方案是创建参数化查询。
我认为杰夫·阿特伍德有最完整而简洁的文章,提供了解释和完整的示例 此处
引自上面的链接:
当前的问题:
它仍然登录帐户的原因是因为查询仍然“有效”。
该语句仍然会被执行,并且仍然会从数据库返回相关记录,不会抛出异常。
当提供无效数据时停止登录过程的唯一方法是在执行查询之前验证输入。在将用户输入发送到数据库之前,您应该始终验证用户输入。如果用户提供:
作为用户名,您将会遇到很多麻烦。
OK, to provide an answer based on the primary issue you've got (as you've stated, you're new to the SQL Injection issue).
SQL Injection is caused by dynamically building a SQL query using user input as part of the construction. The simplest solution to this in .Net is to create a parameterized query.
I think Jeff Atwood has the most complete yet concise article providing an explanation and complete example here
Quoted from above link:
The issue at hand:
The reason it's still logging into the account is because the query is still "valid".
The statement will still be executed, and the relevant record will still be returned from the database, no exception will be thrown.
The only way you will stop the login process when invalid data is provided is to validate the input before executing the query. You should always validate user input before sending it off to the database. If the user were to provide:
as the username, you would be in a LOT of trouble.
您遇到的错误是调试错误,而不是实际的程序异常。这就是为什么当你正常运行它时它会起作用。
为了纠正该错误,我首先确保所有内容都在调试版本中运行。另外,请确保您当前正在调试要检查的变量的函数。尝试单步执行 (F10) 几次越过断点以刷新上下文。对于该特定错误,互联网上有很多其他建议,因此如果您仍然遇到问题,您可能需要进行一些谷歌搜索。
The error you're encountering is a debugging error, not an actual program exception. That's why it works when you run it normally.
To remedy the error, I'd first make sure that everything is running with a Debug build. Also, make sure you're currently debugging in the function of the variable you want to inspect. Try stepping (F10) a few times past your breakpoint to refresh the context. There are a slew of other suggestions on the internet for that particular error, so if you're still having problems you might have to do some googling.