這是我的代碼中的sql漏洞嗎?因爲我有參數化的SQL,所以沒有sql注入?任何人給一些建議將會感激!如果是的話,如何修復?我的代碼中是否存在這個sql漏洞?
ASP.NET代碼:
public DataTable CompanySearchUser(int pageSize, int currentPage, string whereCondition)
{
DbParameter[] parms = {
DbHelper.MakeInParam("@PageSize",(DbType)SqlDbType.Int,4,pageSize),
DbHelper.MakeInParam("@PageNumber",(DbType)SqlDbType.Int,4,currentPage),
DbHelper.MakeInParam("@where",(DbType)SqlDbType.NVarChar,500,whereCondition)
};
DataTable userlist = DbHelper.ExecuteDataset(CommandType.StoredProcedure, "spCompanySearchUser", parms).Tables[0];
return userlist;
}
SQL代碼:
ALTER PROC [dbo].[spCompanySearchUser]
@PageSize INT
@PageNumber INT,
@where nvarchar(550)--like 'and a=1 '
AS
DECLARE @RowStart INT
DECLARE @RowEnd INT
DECLARE @SQL NVARCHAR(4000)
IF @PageNumber > 0
BEGIN
SET @PageNumber = @PageNumber - 1
SET @RowStart = @PageSize * @PageNumber + 1;
SET @RowEnd = @RowStart + @PageSize - 1;
SET @SQL='
WITH AllUsers
AS (SELECT
UB.UserBaicInfoID,
UB.UserName,
UB.HighestEducation,
UB.Age,
UB.Sex,
UB.WorkExperience,
UB.PositionDesired,
UB.UpdateTime,
Row_number() OVER (ORDER BY UB.UpdateTime DESC) AS RowNumber
From UserBasicInfo UB
WHERE ResumeState=1 '[email protected]+')
SELECT * FROM AllUsers WHERE RowNumber >=' + Str(@RowStart) + ' AND RowNumber <= ' + Str(@RowEnd) + ''
EXEC sp_executesql @SQL
END
是在我的代碼此漏洞的SQL因爲我在參數化SQL,所以沒有SQL注入?任何人給一些建議將會感激!如果是的話,如何修復?
不會傳遞整個'where'條件(甚至是逐字的一部分)。從傳遞的參數中自行構造表達式。檢查參數並在將它們粘貼到查詢之前確保它們具有預期的類型。 – akonsu