我正在嘗試使用一些通用代碼來從表中檢索標識,並涉及到使用不安全的查詢字符串來注入表名。安全地查詢帶有變量表名稱的SQL表
我到處讀到我無法安全地注入表名。所以我想查詢表是否存在,然後根據結果執行真實或虛擬查詢。
var unsafeTableQuery = "SELECT [Id] FROM [dbo].[" + tableName + "] WHERE [BulkInsertSessionID] = @bulkInsertSessionId";
var guardQuery =
"DECLARE @Exists BIT = (SELECT CAST(COUNT(1) AS BIT) FROM sys.tables WHERE name = @TableName AND type = 'U');" +
"IF (@Exists = 0) SELECT TOP 0 NULL 'Id'" +
"ELSE " + unsafeTableQuery;
var cmd = new SqlCommand(guardQuery, conn, tran);
cmd.Parameters.Add(new SqlParameter("@TableName", tableName));
cmd.Parameters.Add(new SqlParameter("@bulkInsertSessionId", bulkInsertSessionId));
using (SqlDataReader reader = cmd.ExecuteReader())
{
int index = 0;
while (reader.Read())
{
int id = (int)reader[0];
entities[index++].Id = id;
}
}
即使我有不安全的級聯,我首先通過參數查詢對sys.tables
表名。如果它不存在,IF..ELSE
塊將永遠不會進入不安全的查詢。
,可讀性更強,我在期待運行下面的查詢:
DECLARE @Exists BIT = (SELECT CAST(COUNT(1) AS BIT) FROM sys.tables WHERE name = @TableName AND type = 'U');
IF(@Exists = 0)
SELECT TOP 0 NULL 'Id'
ELSE
SELECT [Id] from <InjectedTableName> where BulkInsertSessionID = @bulkSessionId
我是在我的假設是正確的,這是安全的嗎?
'tableName =「Users]; drop table users; - 」' –
@GiorgiNakeuri和這裏得到執行? – romeozor
'cmd.ExecuteReader()'? –