日期:2014-05-18  浏览次数:20437 次

请大侠们看看这段代码如何防注入?
下面是一段search.aspx的后台代码,search.aspx.cs,请大侠们看看怎么修改能防止搜索型注入。
using System;
using System.Collections.Generic;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Data;

namespace Maticsoft.Web
{
  public partial class search : System.Web.UI.Page
  {
  protected void Page_Load(object sender, EventArgs e)
  {

  if ((Request.Params["keyword"] != null) && (Request.Params["keyword"].ToString() != ""))
  {
  string keyword = Request.Params["keyword"];
  HiddenField1.Value = keyword;

  showlist(keyword);
  Label1.Text = "关键字:<font color='red'>" + keyword + "</font>";
  }
  }
  /// <summary>
  /// 显示列表
  /// </summary>
  private void showlist(string keyword)
  {  
  Maticsoft.BLL.NewsManage.News bll = new Maticsoft.BLL.NewsManage.News();
  keyword = keyword.Replace("'", "''"); 
  string sql = "select * from T_News where Dormancy='false' and heading like '%" + keyword.ToString() + "%' order by IssueDate desc";
  DataTable dt = bll.pager(AspNetPager1.CurrentPageIndex, AspNetPager1.PageSize, sql);
  System.Data.DataView dv = new System.Data.DataView(dt);
  Repeater1.DataSource = dv;
  Repeater1.DataBind();

  string sql1 = "select count(*) from T_News where Dormancy='false' and heading like '%" + keyword.ToString() + "%'";
  AspNetPager1.RecordCount = bll.gettotal(sql1);
  }
   
  protected string FormatDatetimeString(string str)
  {
  DateTime dt = new DateTime();
  dt = DateTime.Parse(str);
  return dt.ToShortDateString();
 }

  protected void AspNetPager1_PageChanged(object sender, EventArgs e)
  {
  showlist(HiddenField1.Value);
  } 
  }
}
我知道是sql语句那出了问题,但不知道怎么改。

------解决方案--------------------
用参数化SQL即可,简单用法:http://www.cnblogs.com/asdlx/archive/2010/05/14/1735410.html。