1. 首页
  2. 问答
  3. 这个TSQL查询有什么问题?

这个TSQL查询有什么问题?

2011-02-08 122 views
-2 
Protected Sub Page_Load(ByVal sender As Object, ByVal e As System.EventArgs) Handles Me.Load 
    Literal1.Text = Request.QueryString("Pno") 
    On Error Resume Next 
    Dim SQLData As New System.Data.SqlClient.SqlConnection("workstation id=ws.example.com;packet size=4096;user id=some-user;pwd=some-password;data source=mssql.example.com;persist security info=False;initial catalog=some-db") 
    Dim cmdSelect As New System.Data.SqlClient.SqlCommand("SELECT * FROM a1_ticket WHERE PNR_no ='" & Literal1.Text & "'", SQLData) 
    SQLData.Open() 
    Dim dtrReader As System.Data.SqlClient.SqlDataReader = cmdSelect.ExecuteReader() 
    If dtrReader.HasRows Then 
     While dtrReader.Read() 
      Literal2.Text = dtrReader("bus_type") 
      Literal3.Text = dtrReader("dep_time") 
      Literal4.Text = dtrReader("PRN") 
      Literal5.Text = dtrReader("fro_m") 
      Literal6.Text = dtrReader("seat_opt") 
      Literal7.Text = dtrReader("Ticket_no") 
      Literal8.Text = dtrReader("t_o") 
      Literal9.Text = dtrReader("taxes") 
      Literal10.Text = dtrReader("Travels") 
      Literal11.Text = dtrReader("journey_date") 
      Literal12.Text = dtrReader("net_pay") 
      Literal13.Text = dtrReader("name") 
      Literal14.Text = dtrReader("seat_opt") 
      Literal15.Text = dtrReader("sel_seat") 
      Literal16.Text = dtrReader("bd_point") 
     End While 
    Else 
    End If 
    Dim cmd As New System.Data.SqlClient.SqlCommand("SELECT * FROM a1_vendors WHERE UserId ='" & Request.QueryString("tid") & "'", SQLData) 
    cmd.ExecuteScalar() 
    Literal17.Text = dtrReader("travels") 
    Literal18.Text = dtrReader("Contactno") 
    SQLData.Close() 
    dtrReader.Close() 
    SQLData.Close() 
End Sub

来源

2011-02-08 user594849

+8

真的吗?那么你如何告诉我们它有什么问题,我们可能会告诉你如何解决这个问题。 – dotalchemy 2011-02-08 06:56:39

回答

3

期待你指的是第二个,在那里你SELECT *但是ExecuteScalar; ExecuteScalar仅返回一个值(作为结果) - 并且它不更新阅读器,因此Literal17/Literal18正在从无处获取其值。

继现有的模式,它应该是这样的:

' caveat: this is **not** intended as a perfect example; this intentionally 
' uses the same pattern as the question; see below for notes 
dtrReader = cmd.ExecuteReader() 
If dtrReader.Read() 
    Literal17.Text = dtrReader("travels") 
    Literal18.Text = dtrReader("Contactno") 
End If

更重要的是,虽然

  • 没有分离;一切从连接字符串管理,账务凭证(感谢这些,顺便说一句),数据访问和UI是在Page_Load事件处理就在那里,本身
  • 容易受到SQL注入牙齿
    • 的伟大咬牙切齿的原因
  • 没有using(或VB等价物),以确保您有确定性的清理,而不是等待垃圾收集器(在例外的必然的事件)

来源

2011-02-08 07:06:42

6

这个查询有什么问题?它乞求SQL注入攻击。

参见:

Dim cmd As New SqlCommand(
    "SELECT * FROM a1_vendors WHERE UserId ='" & 
    Request.QueryString("tid") & "'", SQLData)

如果Request.QueryString("tid")包含值 “'' GO DROP TABLE a1_vendors GO SELEC ''

突然你的命令变为 “SELECT * FROM a1_vendors WHERE UserId = '' GO DROP TABLE a1_vendors GO SELECT ''

来源

2011-02-08 07:00:01 JMP

相关问题

 相关问题