示例#1
0
        /// <summary>
        ///     检查调用存储过程时相关的参数是否有注入的风险
        /// </summary>
        /// <param name="dm"></param>
        /// <param name="val"></param>
        /// <returns></returns>
        private bool CheckInjectAttackForSp(DbCommand dm, object val)
        {
            if (!CheckStoredProcedurePara)
            {
                return(false);
            }

            if (dm == null)
            {
                return(false);
            }

            if (dm.CommandType != CommandType.StoredProcedure)
            {
                return(false);
            }

            if (val == null || val is DBNull)
            {
                return(false);
            }

            if (!(val is string))
            {
                return(false);
            }

            if (!SqlInjectionReject.CheckMssqlParameter(val.ToString()))
            {
                return(true);
            }

            return(false);
        }
示例#2
0
        /// <summary>
        ///     检查调用存储过程时相关的参数是否有注入的风险
        /// </summary>
        private bool CheckInjectAttackForSp(DbCommand dm)
        {
            if (!CheckStoredProcedurePara)
            {
                return(false);
            }

            if (dm == null)
            {
                return(false);
            }

            if (dm.CommandType != CommandType.StoredProcedure)
            {
                return(false);
            }

            if (dm.Parameters.Count == 0)
            {
                return(false);
            }

            for (var i = 0; i < dm.Parameters.Count; i++)
            {
                if (dm.Parameters[i].Value == null || dm.Parameters[i].Value is DBNull)
                {
                    continue;
                }
                if (!(dm.Parameters[i].Value is string))
                {
                    continue;
                }

                if (!SqlInjectionReject.CheckMssqlParameter(dm.Parameters[i].Value.ToString()))
                {
                    return(true);
                }
            }

            return(false);
        }