防SQL注入:生成参数化的通用分页查询语句

xunyichao8814

xunyichao8814

2016-02-19 18:18

下面图老师小编跟大家分享防SQL注入:生成参数化的通用分页查询语句,一起来学习下过程究竟如何进行吧!喜欢就赶紧收藏起来哦~

  前些时间看了玉开兄的“如此高效通用的分页存储过程是带有sql注入漏洞的”这篇文章,才突然想起某个项目也是使用了累似的通用分页存储过程。使用这种通用的存储过程进行分页查询,想要防SQL注入,只能对输入的参数进行过滤,例如将一个单引号“'”转换成两个单引号“''”,但这种做法是不安全的,厉害的黑客可以通过编码的方式绕过单引号的过滤,要想有效防SQL注入,只有参数化查询才是最终的解决方案。但问题就出在这种通用分页存储过程是在存储过程内部进行SQL语句拼接,根本无法修改为参数化的查询语句,因此这种通用分页存储过程是不可取的。但是如果不用通用的分页存储过程,则意味着必须为每个具体的分页查询写一个分页存储过程,这会增加不少的工作量。

  经过几天的时间考虑之后,想到了一个用代码来生成参数化的通用分页查询语句的解决方案。代码如下:

  public class PagerQuery
  {
    private int _pageIndex;
    private int _pageSize = 20;
    private string _pk;
    private string _fromClause;
    private string _groupClause;
    private string _selectClause;
    private string _sortClause;
    private StringBuilder _whereClause;
    public DateTime DateFilter = DateTime.MinValue;
  
    protected QueryBase()
    {
      _whereClause = new StringBuilder();
    }
  
    /**//// summary
    /// 主键
    /// /summary
    public string PK
    {
      get { return _pk; }
      set { _pk = value; }
    }
  
    public string SelectClause
    {
      get { return _selectClause; }
      set { _selectClause = value; }
    }
  
    public string FromClause
    {
      get { return _fromClause; }
      set { _fromClause = value; }
    }
  
    public StringBuilder WhereClause
    {
      get { return _whereClause; }
      set { _whereClause = value; }
    }
  
    public string GroupClause
    {
      get { return _groupClause; }
      set { _groupClause = value; }
    }
  
    public string SortClause
    {
      get { return _sortClause; }
      set { _sortClause = value; }
    }
  
    /**//// summary
    /// 当前页数
    /// /summary
    public int PageIndex
    {
      get { return _pageIndex; }
      set { _pageIndex = value; }
    }

/**//// summary
    /// 分页大小
    /// /summary
    public int PageSize
    {
      get { return _pageSize; }
      set { _pageSize = value; }
    }
  
    /**//// summary
    /// 生成缓存Key
    /// /summary
    /// returns/returns
    public override string GetCacheKey()
    {
      const string keyFormat = "Pager-SC:{0}-FC:{1}-WC:{2}-GC:{3}-SC:{4}";
      return string.Format(keyFormat, SelectClause, FromClause, WhereClause, GroupClause, SortClause);
    }
  
    /**//// summary
    /// 生成查询记录总数的SQL语句
    /// /summary
    /// returns/returns
    public string GenerateCountSql()
    {
      StringBuilder sb = new StringBuilder();
  
      sb.AppendFormat(" from {0}", FromClause);
      if (WhereClause.Length 0)
        sb.AppendFormat(" where 1=1 {0}", WhereClause);
  
      if (!string.IsNullOrEmpty(GroupClause))
        sb.AppendFormat(" group by {0}", GroupClause);
  
      return string.Format("Select count(0) {0}", sb);
    }
  
    /**//// summary
    /// 生成分页查询语句,包含记录总数
    /// /summary
    /// returns/returns
    public string GenerateSqlIncludeTotalRecords()
    {
      StringBuilder sb = new StringBuilder();
      if (string.IsNullOrEmpty(SelectClause))
        SelectClause = "*";
  
      if (string.IsNullOrEmpty(SortClause))
        SortClause = PK;
  
      int start_row_num = (PageIndex - 1)*PageSize + 1;
  
      sb.AppendFormat(" from {0}", FromClause);
      if (WhereClause.Length 0)
        sb.AppendFormat(" where 1=1 {0}", WhereClause);
  
      if (!string.IsNullOrEmpty(GroupClause))
        sb.AppendFormat(" group by {0}", GroupClause);
  
      string countSql = string.Format("Select count(0) {0};", sb);
      string tempSql =
        string.Format(
          "WITH t AS (SELECT ROW_NUMBER() OVER(ORDER BY {0}) as row_number,{1}{2}) Select * from t where row_number BETWEEN {3} and {4};",
          SortClause, SelectClause, sb, start_row_num, (start_row_num + PageSize - 1));
  
      return tempSql + countSql;
    }/**//// summary
    /// 生成分页查询语句
    /// /summary
    /// returns/returns
    public override string GenerateSql()
    {
      StringBuilder sb = new StringBuilder();
      if (string.IsNullOrEmpty(SelectClause))
        SelectClause = "*";
  
      if (string.IsNullOrEmpty(SortClause))
        SortClause = PK;
  
      int start_row_num = (PageIndex - 1)*PageSize + 1;
  
      sb.AppendFormat(" from {0}", FromClause);
      if (WhereClause.Length 0)
        sb.AppendFormat(" where 1=1 {0}", WhereClause);
  
      if (!string.IsNullOrEmpty(GroupClause))
        sb.AppendFormat(" group by {0}", GroupClause);
  
      return
        string.Format(
          "WITH t AS (SELECT ROW_NUMBER() OVER(ORDER BY {0}) as row_number,{1}{2}) Select * from t where row_number BETWEEN {3} and {4}",
          SortClause, SelectClause, sb, start_row_num, (start_row_num + PageSize - 1));
    }
  }

  使用方法:

PagerQuery query = new PagerQuery();
query.PageIndex = 1;
  query.PageSize = 20;
  query.PK = "ID";
  query.SelectClause = "*";
  query.FromClause = "TestTable";
  query.SortClause = "ID DESC";
  
  if (!string.IsNullOrEmpty(code))
  {
  query.WhereClause.Append(" and ID= @ID");
  }

(本文来源于图老师网站,更多请访问http://m.tulaoshi.com/bianchengyuyan/)

  a)GenerateCountSql ()方法生成的语句为:

Select count(0) from TestTable Where 1=1 and ID= @ID

  b)GenerateSql()方法生成的语句为:

WITH t AS (SELECT ROW_NUMBER() OVER(ORDER BY ECID DESC) as row_number, * from TestTable where 1=1 and ID= @ID) Select * from t where row_number BETWEEN 1 and 20

  c)GenerateSqlIncludetTotalRecords()方法生成的语句为:

WITH t AS (SELECT ROW_NUMBER() OVER(ORDER BY E.ECID DESC) as row_number,* from TestTable where 1=1 and ID= @ID) Select * from t where row_number BETWEEN 1 and 20;Select count(0) from ECBasicInfo where 1=1 and ID= @ID;

  注意:以上代码生成的SQL语句是曾对SQL SERVER 2005以上版本的,希望这些代码对大家有用

(本文来源于图老师网站,更多请访问http://m.tulaoshi.com/bianchengyuyan/)
展开更多 50%)
分享

猜你喜欢

防SQL注入:生成参数化的通用分页查询语句

编程语言 网络编程
防SQL注入:生成参数化的通用分页查询语句

编写通用的ASP防SQL注入攻击程序

Web开发
编写通用的ASP防SQL注入攻击程序

s8lol主宰符文怎么配

英雄联盟 网络游戏
s8lol主宰符文怎么配

如何编写通用的ASP防SQL注入攻击程序

Web开发
如何编写通用的ASP防SQL注入攻击程序

SQL查询语句对象化的实现(C#)

MySQL mysql数据库
SQL查询语句对象化的实现(C#)

lol偷钱流符文搭配推荐

英雄联盟 网络游戏
lol偷钱流符文搭配推荐

如此高效通用的分页存储过程是带有sql注入漏洞的

编程语言 网络编程
如此高效通用的分页存储过程是带有sql注入漏洞的

ASP中巧用Split()函数生成SQL查询语句

ASP
ASP中巧用Split()函数生成SQL查询语句

lolAD刺客新符文搭配推荐

英雄联盟
lolAD刺客新符文搭配推荐

CSS3系列教程:阴影

CSS3系列教程:阴影

如何配置 SQL Server 2005 以允许远程连接

如何配置 SQL Server 2005 以允许远程连接
下拉加载更多内容 ↓