zoukankan      html  css  js  c++  java

  • C# 防止SQL注入 转载的

    C# 防止SQL注入攻击

    http://blog.csdn.net/limlimlim/article/details/8629582
     
    l登录判断:select * from T_Users where UserName=... and Password=...,将参数拼到SQL语句中。
    l构造恶意的Password:hello' or 1=1 --
    l                      if (dataReader.Read())
    l                        {
    l                            MessageBox.Show("登陆成功");
    l                        }
    l                        else
    l                        {
    l                            MessageBox.Show("登陆失败");
    l                        }
    l防范注入漏洞攻击的方法:不使用SQL语句拼接,通过参数赋值

              

               string constr = "Data Source=zxtiger;Initial Catalog=itcastcn;Integrated Security=True";
                using (SqlConnection con = new SqlConnection(constr))
                {
                    string sql = "select count(*) from UserLogin where LoginId=@uid and LoginPwd=@pwd";
                    using (SqlCommand cmd = new SqlCommand(sql, con))
                    {
                        ////在执行之前告诉Command对象@uid与@pwd将来用谁来代替
                        ////为变量@uid与@pwd赋值
                        //cmd.Parameters.AddWithValue("@uid", txtUid.Text.Trim());
                        //cmd.Parameters.AddWithValue("@pwd", txtPwd.Text);
                        #region MyRegion
                        //SqlParameter p1 = new SqlParameter("@uid", txtUid.Text.Trim());
                        //cmd.Parameters.Add(p1);

                        //SqlParameter p2 = new SqlParameter("@pwd", txtPwd.Text);
                        //cmd.Parameters.Add(p2);
                        #endregion

                       
                        SqlParameter[] pms = new SqlParameter[] {
                        new SqlParameter("@uid", txtUid.Text.Trim()),
                        new SqlParameter("@pwd", txtPwd.Text)
                        };
                        cmd.Parameters.AddRange(pms);


                        con.Open();
                        int r = Convert.ToInt32(cmd.ExecuteScalar());
                        con.Close();
                        if (r > 0)
                        {
                            MessageBox.Show("登录成功!");
                        }
                        else
                        {
                            MessageBox.Show("登录失败!");
                        }
                    }
                }
  • 相关阅读:
    自实现的DNetStopWatch类
    IL Discovery 系列三 《为什么在遍历List<T>对象时同时删除其中项会抛出异常》
    高效的线程安全队列ConcurrentQueue<T>(上)
    .NET中Object.Equals()方法与Object.ReferenceEquals()方法
    麻省理工学院(MIT)的开放课程(OCW)真的不错,其音像资料
    Eclipse快捷键大全
    MyEclipse快捷键大全
    c#单文件上传下载源代码
    Tomcat 配置集锦
    asp.net(C#)多文件上传(源代码)vs2008
  • 原文地址:https://www.cnblogs.com/justdoitfei/p/4265667.html
Copyright © 2011-2022 走看看