1. 首页
  2. PYTHON
  3. asp.net 防注入式攻击

asp.net 防注入式攻击

python阅读 1995

网上有许多防SQL注入式攻击的方法。我使用将值用参数传入形式。相关代码如下:

/// <summary>

/// 执行参数

/// </summary>

/// <param name="asSql">SQL语句</param>

/// <param name="asPlList">参数列表</param>

public static void ExecuteDMLParameterSQL(string asSql, sttSqlParameterList[] asPlList)

{

sConnectionString = ConfigurationManager.AppSettings.Get("UserConnection");

OracleConnection ocConnection = new OracleConnection(sConnectionString);

ocConnection.Open();

OracleCommand ocCommand = ocConnection.CreateCommand();

ocCommand.CommandType = CommandType.Text;

ocCommand.CommandText = asSql;

for (int i = 0; i < asPlList.Length; i++)

{

OracleParameter opName = new OracleParameter();

opName.ParameterName = asPlList[i].Name;

switch (asPlList[i].Type)

{

case "string":

opName.OracleType = OracleType.VarChar;

break;

default:

opName.OracleType = OracleType.VarChar;

break;

}

opName.Value = asPlList[i].Value;

ocCommand.Parameters.Add(opName);

}

int iResult = (int)ocCommand.ExecuteNonQuery();

ocCommand.Dispose();

ocConnection.Close();

ocConnection.Dispose();

}

/// <summary>

/// 参数结构,用于执行参数语句

/// </summary>

public struct sttSqlParameterList

{

private string sName;

private string sType;

private string sValue;

/// <summary>

/// 构造函数(初始化值)

/// </summary>

/// <param name="asName">参数名</param>

/// <param name="asType">参数类型(暂时只针对string型的值)</param>

/// <param name="asValue">参数值</param>

public sttSqlParameterList(string asName, string asType, string asValue)

{

sName = asName;

sType = asType;

sValue = asValue;

}

/// <summary>

/// 参数名(与SQL语句中的参数名相同,但不带:号)

/// </summary>

public string Name

{

get

{

return sName;

}

set

{

sName = value;

}

}

/// <summary>

/// 参数类型(本参数暂时只接受string型)

/// </summary>

public string Type

{

get

{

return sType;

}

set

{

sType = value;

}

}

/// <summary>

/// 参数值,与参数类型对应

/// </summary>

public string Value

{

get

{

return sValue;

}

set

{

sValue = value;

}

}

}

调用方法为:

string sSql = "update HP_REQUIREMENT "

+ " set RqtGuage=16,RqtUpdateDate=to_date('{1}','yyyy.MM.dd'),"

+ " RqtChecker

+ " RqtCheckerEmp,"

+ "RqtDevelopExplain=:CheckerExplain," //CheckerExplain为参数名,与参数列表中的Name相对应

+ " RqtAnalystHour={4},"

+ " RqtDevelopWorkload={5},"

+ " RqtTestHour={6},"

+ " RqtTotoalHour={7}"

+ " where Rqt";

sSql = string.Format(sSql, sMainID, sUpdateDate, sCheckerID, sCheckerEmpID, sAnalystHour, sWorkLoad, sTestHour, sTotalHour);

//给参数赋值(这里只有一个参数)

sttSqlParameterList[] sptList = new sttSqlParameterList[1];

sptList[0].Name = "CheckerExplain";

sptList[0].Type = "string";

sptList[0].Value = sCheckerExplain;

clsHpDbManage.ExecuteDMLParameterSQL(sSql, sptList);

相关推荐

Copyright © 2008-2024渝ICP备2022006305号-5.

本站所有数据收集于网络如有侵犯到您的权益请联系,进行下架处理。