from :
http://www.siteweavercms.cn/Item/113.aspx
由于存储过程中存在用于字符串连接的 + 号连接SQL语句,这就造成SQL注入的可能性.
下面一个例子:
PR_UserManage_Users_BatchMove
CREATE PROCEDURE [dbo].[PR_UserManage_Users_BatchMove]
(
@UserType int = 1,
@GroupId NVarChar(500) ='',
@UserId NVarChar(4000) = '',
@UserName NVarChar(255) = '',
@StartUserId int = 0,
@EndUserId int = 0,
@BatchUserGroupId NVarChar(500) =''
)
AS
BEGIN
SET NOCOUNT OFF
If (@UserType = 1)
BEGIN
EXEC('Update PE_Users set GroupID= ' + @GroupId +' Where UserID in (' + @UserId + ')')
END
Else If(@UserType = 2)
BEGIN
EXEC('Update PE_Users set GroupID= ' + @GroupId +' Where UserName in (''' + @UserName + ''')')
END
Else If(@UserType = 3)
BEGIN
EXEC('Update PE_Users set GroupID= ' + @GroupId +' Where UserId between ' + @StartUserId + ' and ' + @EndUserId)
END
Else If(@UserType = 4)
BEGIN
EXEC('Update PE_Users set GroupID= ' + @GroupId +' Where GroupID in (' + @BatchUserGroupId + ')')
END
END
(
@UserType int = 1,
@GroupId NVarChar(500) ='',
@UserId NVarChar(4000) = '',
@UserName NVarChar(255) = '',
@StartUserId int = 0,
@EndUserId int = 0,
@BatchUserGroupId NVarChar(500) =''
)
AS
BEGIN
SET NOCOUNT OFF
If (@UserType = 1)
BEGIN
EXEC('Update PE_Users set GroupID= ' + @GroupId +' Where UserID in (' + @UserId + ')')
END
Else If(@UserType = 2)
BEGIN
EXEC('Update PE_Users set GroupID= ' + @GroupId +' Where UserName in (''' + @UserName + ''')')
END
Else If(@UserType = 3)
BEGIN
EXEC('Update PE_Users set GroupID= ' + @GroupId +' Where UserId between ' + @StartUserId + ' and ' + @EndUserId)
END
Else If(@UserType = 4)
BEGIN
EXEC('Update PE_Users set GroupID= ' + @GroupId +' Where GroupID in (' + @BatchUserGroupId + ')')
END
END
可以看出,在用户名的地方,没有过滤直接放入查询.
调用地方: