ASP.NET³£¼û°²È«ÎÊÌâ

ASP.NET³£¼û°²È«ÎÊÌâ
Ò»¡¢SQLÓï¾ä©¶´
Ðí¶à³ÌÐòÔ±ÔÚÓÃsqlÓï¾ä½øÐÐÓû§ÃÜÂëÑé֤ʱÊÇͨ¹ýÒ»¸öÀàËÆÕâÑùµÄÓï¾äÀ´ÊµÏֵģº 
Sql="Select * from Óû§±í where ÐÕÃû = '" + name + "' and ÃÜÂë = '" + password + "'" 
ͨ¹ý·ÖÎö¿ÉÒÔ·¢ÏÖ£¬ÉÏÊöÓï¾ä´æÔÚ×ÅÖÂÃüµÄ©¶´¡£µ±ÎÒÃÇÔÚÓû§Ãû³ÆÖÐÊäÈëÏÂÃæµÄ×Ö·û´®Ê±£ºtest' or '1' = '1£¬È»ºó¿ÚÁîËæ±ãÊäÈ룬ÎÒÃÇÉèΪaaa¡£±äÁ¿´ú»»ºó£¬sqlÓï¾ä¾Í±ä³ÉÁËÏÂÃæµÄ×Ö·û´®£º 
Sql="Select * from Óû§±í where ÐÕÃû='test' or '1' = '1' and ÃÜÂë = 'aaa' 
ÎÒÃǶ¼ÖªµÀselectÓï¾äÔÚÅжϲéѯÌõ¼þʱ£¬Óöµ½»ò£¨or£©²Ù×÷¾Í»áºöÂÔÏÂÃæµÄÓ루and£©²Ù×÷£¬¶øÔÚÉÏÃæµÄÓï¾äÖÐ1=1µÄÖµÓÀԶΪtrue£¬ÕâÒâζ×ÅÎÞÂÛÔÚÃÜÂëÖÐÊäÈëʲôֵ£¬¾ùÄÜͨ¹ýÉÏÊöµÄÃÜÂëÑéÖ¤£¡
Select * from Óû§±í where ÐÕÃû = 'ºÏ·¨µÄÐÕÃû' or '1' = '1' and ÃÜÂë = ''  //ÎÞÐèÃÜÂë 
Select * from Óû§±í where ÐÕÃû = '' or '1'='1' and ÃÜÂë = '' or '1'='1' //ÎÞÐèÓû§ÃûºÍÃÜÂë
Select * from Óû§±í where ÐÕÃû = 'ºÏ·¨µÄÐÕÃû' --' and ÃÜÂë = ''  //ÎÞÐèÃÜÂë
½â¾ö·½·¨£º 
·ÀÖ¹ASP.NETÓ¦Óñ»SQL×¢Èëʽ¹¥»÷´³Èë²¢²»ÊÇÒ»¼þÌرðÀ§ÄѵÄÊÂÇ飬ֻҪÔÚÀûÓÃ±íµ¥ÊäÈëµÄÄÚÈݹ¹ÔìSQLÃüÁî֮ǰ£¬°ÑËùÓÐÊäÈëÄÚÈݹýÂËÒ»·¬¾Í¿ÉÒÔÁË¡£¹ýÂËÊäÈëÄÚÈÝ¿ÉÒÔ°´¶àÖÖ·½Ê½½øÐУº
1¡¢¼ì²éÓû§ÊäÈëµÄºÏ·¨ÐÔ£¬È·ÐÅÊäÈëµÄÄÚÈÝÖ»°üº¬ºÏ·¨µÄÊý¾Ý¡£Êý¾Ý¼ì²éÓ¦µ±ÔÚ¿Í»§¶ËºÍ·þÎñÆ÷¶Ë¶¼Ö´ÐЗ—Ö®ËùÒÔÒªÖ´ÐзþÎñÆ÷¶ËÑéÖ¤£¬ÊÇΪÁËÃÖ²¹¿Í»§¶ËÑéÖ¤»úÖÆ´àÈõµÄ°²È«ÐÔ¡£ÔÚ¿Í»§¶Ë£¬¹¥»÷ÕßÍêÈ«ÓпÉÄÜ»ñµÃÍøÒ³µÄÔ´´úÂ룬ÐÞ¸ÄÑéÖ¤ºÏ·¨ÐԵĽű¾£¨»òÕßÖ±½Óɾ³ý½Å±¾£©£¬È»ºó½«·Ç·¨ÄÚÈÝͨ¹ýÐ޸ĺóµÄ±íµ¥Ìá½»¸ø·þÎñÆ÷¡£
2¡¢¶ÔÓÚ¶¯Ì¬¹¹ÔìSQL²éѯµÄ³¡ºÏ£¬¿ÉÒÔʹÓÃÏÂÃæµÄ¼¼Êõ£º
  µÚÒ»£ºÌæ»»µ¥ÒýºÅ£¬¼´°ÑËùÓе¥¶À³öÏֵĵ¥ÒýºÅ¸Ä³ÉÁ½¸öµ¥ÒýºÅ¡£
µÚ¶þ£ºÉ¾³ýÓû§ÊäÈëÄÚÈÝÖеÄËùÓÐÁ¬×Ö·û¡£
µÚÈý£º¶ÔÓÚÓÃÀ´Ö´ÐвéѯµÄÊý¾Ý¿âÕÊ»§£¬ÏÞÖÆÆäȨÏÞ¡£Óò»Í¬µÄÓû§ÕÊ»§Ö´Ðвéѯ¡¢²åÈë¡¢¸üС¢É¾³ý²Ù×÷¡£ÓÉÓÚ¸ôÀëÁ˲»Í¬ÕÊ»§¿ÉÖ´ÐеIJÙ×÷£¬Òò¶øÒ²¾Í·ÀÖ¹ÁËÔ­±¾ÓÃÓÚÖ´ÐÐSELECTÃüÁîµÄµØ·½È´±»ÓÃÓÚÖ´ÐÐINSERT¡¢UPDATE»òDELETEÃüÁî¡£
3¡¢Óô洢¹ý³ÌÀ´Ö´ÐÐËùÓеIJéѯ¡£SQL²ÎÊýµÄ´«µÝ·½Ê½½«·ÀÖ¹¹¥»÷ÕßÀûÓõ¥ÒýºÅºÍÁ¬×Ö·ûʵʩ¹¥»÷¡£´ËÍ⣬Ëü»¹Ê¹µÃÊý¾Ý¿âȨÏÞ¿ÉÒÔÏÞÖƵ½Ö»ÔÊÐíÌض¨µÄ´æ´¢¹ý³ÌÖ´ÐУ¬ËùÓеÄÓû§ÊäÈë±ØÐë×ñ´Ó±»µ÷ÓõĴ洢¹ý³ÌµÄ°²È«ÉÏÏÂÎÄ£¬ÕâÑ