zoukankan      html  css  js  c++  java

  • C# 防止SQL注入 转载的

    C# 防止SQL注入攻击

    http://blog.csdn.net/limlimlim/article/details/8629582
     
    l登录判断:select * from T_Users where UserName=... and Password=...,将参数拼到SQL语句中。
    l构造恶意的Password:hello' or 1=1 --
    l                      if (dataReader.Read())
    l                        {
    l                            MessageBox.Show("登陆成功");
    l                        }
    l                        else
    l                        {
    l                            MessageBox.Show("登陆失败");
    l                        }
    l防范注入漏洞攻击的方法:不使用SQL语句拼接,通过参数赋值

              

               string constr = "Data Source=zxtiger;Initial Catalog=itcastcn;Integrated Security=True";
                using (SqlConnection con = new SqlConnection(constr))
                {
                    string sql = "select count(*) from UserLogin where LoginId=@uid and LoginPwd=@pwd";
                    using (SqlCommand cmd = new SqlCommand(sql, con))
                    {
                        ////在执行之前告诉Command对象@uid与@pwd将来用谁来代替
                        ////为变量@uid与@pwd赋值
                        //cmd.Parameters.AddWithValue("@uid", txtUid.Text.Trim());
                        //cmd.Parameters.AddWithValue("@pwd", txtPwd.Text);
                        #region MyRegion
                        //SqlParameter p1 = new SqlParameter("@uid", txtUid.Text.Trim());
                        //cmd.Parameters.Add(p1);

                        //SqlParameter p2 = new SqlParameter("@pwd", txtPwd.Text);
                        //cmd.Parameters.Add(p2);
                        #endregion

                       
                        SqlParameter[] pms = new SqlParameter[] {
                        new SqlParameter("@uid", txtUid.Text.Trim()),
                        new SqlParameter("@pwd", txtPwd.Text)
                        };
                        cmd.Parameters.AddRange(pms);


                        con.Open();
                        int r = Convert.ToInt32(cmd.ExecuteScalar());
                        con.Close();
                        if (r > 0)
                        {
                            MessageBox.Show("登录成功!");
                        }
                        else
                        {
                            MessageBox.Show("登录失败!");
                        }
                    }
                }
  • 相关阅读:
    webService客户端搭建(三)
    webService服务器端搭建(二)
    electron 编译 sqlite3避坑指南---尾部链接有已经编译成功的sqlite3
    解决网页中Waiting (TTFB)数据加载过慢的问题
    Node-sqlite3多字段插入数据问题
    win上使用nvm管理node版本
    centos系统设置局域网静态IP
    将win平台上的mysql数据复制到linux上报错Can't write; duplicate key in table
    win上配置nginx
    Nodejs解决所有跨域请求
  • 原文地址:https://www.cnblogs.com/justdoitfei/p/4265667.html
Copyright © 2011-2022 走看看