zoukankan      html  css  js  c++  java

  • C# 防止SQL注入 转载的

    C# 防止SQL注入攻击

    http://blog.csdn.net/limlimlim/article/details/8629582
     
    l登录判断:select * from T_Users where UserName=... and Password=...,将参数拼到SQL语句中。
    l构造恶意的Password:hello' or 1=1 --
    l                      if (dataReader.Read())
    l                        {
    l                            MessageBox.Show("登陆成功");
    l                        }
    l                        else
    l                        {
    l                            MessageBox.Show("登陆失败");
    l                        }
    l防范注入漏洞攻击的方法:不使用SQL语句拼接,通过参数赋值

              

               string constr = "Data Source=zxtiger;Initial Catalog=itcastcn;Integrated Security=True";
                using (SqlConnection con = new SqlConnection(constr))
                {
                    string sql = "select count(*) from UserLogin where LoginId=@uid and LoginPwd=@pwd";
                    using (SqlCommand cmd = new SqlCommand(sql, con))
                    {
                        ////在执行之前告诉Command对象@uid与@pwd将来用谁来代替
                        ////为变量@uid与@pwd赋值
                        //cmd.Parameters.AddWithValue("@uid", txtUid.Text.Trim());
                        //cmd.Parameters.AddWithValue("@pwd", txtPwd.Text);
                        #region MyRegion
                        //SqlParameter p1 = new SqlParameter("@uid", txtUid.Text.Trim());
                        //cmd.Parameters.Add(p1);

                        //SqlParameter p2 = new SqlParameter("@pwd", txtPwd.Text);
                        //cmd.Parameters.Add(p2);
                        #endregion

                       
                        SqlParameter[] pms = new SqlParameter[] {
                        new SqlParameter("@uid", txtUid.Text.Trim()),
                        new SqlParameter("@pwd", txtPwd.Text)
                        };
                        cmd.Parameters.AddRange(pms);


                        con.Open();
                        int r = Convert.ToInt32(cmd.ExecuteScalar());
                        con.Close();
                        if (r > 0)
                        {
                            MessageBox.Show("登录成功!");
                        }
                        else
                        {
                            MessageBox.Show("登录失败!");
                        }
                    }
                }
  • 相关阅读:
    最常被程序员们谎称读过的计算机书籍
    天气城市代码,市级城市. 用java的map.中国天气网.
    你所知道的学习方法,都是错的!
    解决「问题」,不要解决问题
    [IOS 下重温设计模式] AbstractFactory
    判断UIView是否装载完成
    va_start、va_end、va_list的使用
    [IOS 下重温设计模式] Singleton
    IOS BLOCK收集
    SEL
  • 原文地址:https://www.cnblogs.com/justdoitfei/p/4265667.html
Copyright © 2011-2022 走看看