个人对SQL预编译的认识:
1、效率提升,对SQL语句编译一次可多次使用.避免了硬解析和软解析等步骤,当执行的语句上规模的时候性能差异还是很明显的。
2、安全提升,预编译之后的SQL语句,语义不会发生变化,安全性有相当大的提升。
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Data.SqlClient;
using System.Data;
namespace PreSql
{
class Program
{
/*
* create table test_table
(
a nvarchar(20)
)
insert into test_table(a) values(‘2‘);*/
const string conStr = @"Password=1qaz!QAZ;Persist Security Info=True;User ID=sa;Initial Catalog=IBatisNet;Data Source=WANGN\CR";
static void Main(string[] args)
{
Console.WriteLine("SqlJoin:");
SqlJoin();
Console.WriteLine();
Console.WriteLine("PreSqlTest");
PreSqlTest();
Console.WriteLine("Completed");
Console.Read();
}
static void SqlJoin()
{
string sql = "select count(*) from test_table where a=‘{0}‘";
string tmpSql = string.Format(sql, "1‘ or ‘1‘=‘1");
string tmpSql2 = string.Format(sql, "1");
using (SqlConnection conn = new SqlConnection(conStr))
{
if (conn.State != ConnectionState.Open)
{
conn.Open();
}
SqlCommand com = new SqlCommand(tmpSql, conn);
object obj = com.ExecuteScalar();
Console.WriteLine("SQL注入成功:" + obj.ToString());
SqlCommand com2 = new SqlCommand(tmpSql2, conn);
object obj2 = com2.ExecuteNonQuery();
Console.WriteLine("正常应返回-1:" + obj2);
}
}
static void PreSqlTest()
{
string sql = "select count(*) from test_table where [email protected]";
using (SqlConnection conn = new SqlConnection(conStr))
{
if (conn.State != ConnectionState.Open)
{
conn.Open();
}
SqlCommand com = new SqlCommand(sql, conn);
com.Parameters.Add(new SqlParameter
{
DbType = DbType.String,
Size = 256,
ParameterName = "@id",
Value = "1 or 1=1"
});
object obj = com.ExecuteScalar();
Console.WriteLine("SQL注入不成功:" + obj.ToString());
SqlCommand com2 = new SqlCommand(sql, conn);
com2.Parameters.Add(new SqlParameter
{
DbType = DbType.String,
Size = 256,
ParameterName = "@id",
Value = "1"
});
object obj2 = com2.ExecuteNonQuery();
Console.WriteLine("正常应返回-1:" + obj2);
}
}
}
}
执行结果:
SqlJoin:
SQL注入成功:1
正常应返回-1:-1
PreSqlTest
SQL注入不成功:0
正常应返回-1:-1
Completed
时间: 2024-08-07 15:47:50