不确定发布此问题的位置,但我关注答案的安全性,因此我将此目标锁定在此处。如何使用WHERE子句防止注入正确地创建Web服务
我有一个Web服务运行,可靠地返回一个数据集,并允许我提供一个列表现在下拉列表框中返回的记录。
我想从DDL中捕获用户选择并调用另一个Web服务来返回关于选择的详细信息。因此,在Web服务的查询中有一个WHERE语句。我当然担心SQL注入。但我希望至少可以让SQL语句工作。
的选择是一个字符串字段类型,看起来像这样,
<WebMethod()> Public Function getDBrecords(ByVal FileName As String) As DataSet
Return GetDataSet("SELECT ID, ptMaster_ID, StrName, LngText, ShrtText, Lcode, Name, FROM tblMstStrng WHERE FileName = """ & FileName & """; ")
End Function
没有运气,它崩溃我的应用程序有一个SOAP错误。 “
”无法自动进入服务器,连接到服务器进程失败,dbugger已连接。“
后,我清除消息框....
System.Web.Services.Protocols.SoapException was unhandled
Actor=""
Lang=""
Message="System.Web.Services.Protocols.SoapException: Server was unable to process request. ---> System.Data.SqlClient.SqlException: Invalid column name 'DD_EBSKW20_380_db.pts'. at System.Data.SqlClient.SqlConnection.OnError(SqlException exception, Boolean breakConnection) at System.Data.SqlClient.SqlInternalConnection.OnError(SqlException exception, Boolean breakConnection) at System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj) at System.Data.SqlClient.TdsParser.Run(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj) at System.Data.SqlClient.SqlDataReader.ConsumeMetaData() at System.Data.SqlClient.SqlDataReader.get_MetaData() at System.Data.SqlClient.SqlCommand.FinishExecuteReader(SqlDataReader ds, RunBehavior runBehavior, String resetOptionsString) at System.Data.SqlClient.SqlCommand.RunExecuteReaderTds(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, Boolean async) at System.Data.SqlClient.SqlCommand.RunExecuteReader(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, String method, DbAsyncResult result) at System.Data.SqlClient.SqlCommand.RunExecuteReader(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, String method) at System.Data.SqlClient.SqlCommand.ExecuteReader(CommandBehavior behavior, String method) at System.Data.SqlClient.SqlCommand.ExecuteDbDataReader(CommandBehavior behavior) at System.Data.Common.DbCommand.System.Data.IDbCommand.ExecuteReader(CommandBehavior behavior) at System.Data.Common.DbDataAdapter.FillInternal(DataSet dataset, DataTable[] datatables, Int32 startRecord, Int32 maxRecords, String srcTable, IDbCommand command, CommandBehavior behavior) at System.Data.Common.DbDataAdapter.Fill(DataSet dataSet, Int32 startRecord, Int32 maxRecords, String srcTable, IDbCommand command, CommandBehavior behavior) at System.Data.Common.DbDataAdapter.Fill(DataSet dataSet) at stringInfo.GetDataSet(String strSQL) in C:\Visual Studio 2008\WebSites\WebSite2\App_Code\stringInfo.vb:line 32 at stringInfo.getDBrecords(String dbName) in C:\Visual Studio 2008\WebSites\WebSite2\App_Code\stringInfo.vb:line 74 --- End of inner exception stack trace ---"
Node=""
Role=""
Source="System.Web.Services"
StackTrace:
at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, Boolean asyncCall)
at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)
at MultiLangWeb.localhost.stringInfo.getDBrecords(String dbName) in C:\Visual Studio 2008\Projects\MultiLangWeb\MultiLangWeb\Web References\localhost\Reference.vb:line 118
at MultiLangWeb.Main.Button6_Click(Object sender, EventArgs e) in C:\Visual Studio 2008\Projects\MultiLangWeb\MultiLangWeb\Main.Designer.vb:line 388
at System.Windows.Forms.Control.OnClick(EventArgs e)
at System.Windows.Forms.Button.OnMouseUp(MouseEventArgs mevent)
at System.Windows.Forms.Control.WmMouseUp(Message& m, MouseButtons button, Int32 clicks)
at System.Windows.Forms.Control.WndProc(Message& m)
at System.Windows.Forms.ButtonBase.WndProc(Message& m)
at System.Windows.Forms.Button.WndProc(Message& m)
at System.Windows.Forms.Control.ControlNativeWindow.WndProc(Message& m)
at System.Windows.Forms.NativeWindow.DebuggableCallback(IntPtr hWnd, Int32 msg, IntPtr wparam, IntPtr lparam)
at System.Windows.Forms.UnsafeNativeMethods.DispatchMessageW(MSG& msg)
at System.Windows.Forms.Application.ComponentManager.System.Windows.Forms.UnsafeNativeMethods.IMsoComponentManager.FPushMessageLoop(Int32 dwComponentID, Int32 reason, Int32 pvLoopData)
at System.Windows.Forms.Application.ThreadContext.RunMessageLoopInner(Int32 reason, ApplicationContext context)
at System.Windows.Forms.Application.ThreadContext.RunMessageLoop(Int32 reason, ApplicationContext context)
at Microsoft.VisualBasic.ApplicationServices.WindowsFormsApplicationBase.OnRun()
at Microsoft.VisualBasic.ApplicationServices.WindowsFormsApplicationBase.DoApplicationModel()
at Microsoft.VisualBasic.ApplicationServices.WindowsFormsApplicationBase.Run(String[] commandLine)
at MultiLangWeb.My.MyApplication.Main(String[] Args) in 17d14f5c-a337-4978-8281-53493378c1071.vb:line 81
at System.AppDomain._nExecuteAssembly(Assembly assembly, String[] args)
at Microsoft.VisualStudio.HostingProcess.HostProc.RunUsersAssembly()
at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)
at System.Threading.ThreadHelper.ThreadStart()
InnerException:
一切工作的其他网络服务,如果我删除的查询与WHERE子句。
您的问题无关的事实,这是一个Web服务。尝试从控制台应用程序执行相同的代码,您会得到相同的结果。尝试使用vbVerticalTab转义字符“ – 2012-01-12 22:00:52
” – 2012-01-12 22:06:16