如果在数据中是这样的,也就是在数据中注入了一条;+Sql语句, 那么这条语句依然会被执行,这样有可能会被恶意操作数据库,如下:
string username = "xxxxx";
string password = "eel';"+"insert into user set username='lee3',password='eel3';";
MySqlCommand cmd = new MySqlCommand("insert into user set username='" + username + "'" + ",password='" + password,conn);
cmd.ExecuteNonQuery();
可以使用下边的方式解决恶意注入的情况
string username = "xxxxx";
string password = "eel';insert into user set username='lee3',password='eel3';";
MySqlCommand cmd = new MySqlCommand("insert into user set username=@user,password=@pwd",conn);
cmd.Parameters.AddWithValue("user",username);
cmd.Parameters.AddWithValue("pwd",password);
cmd.ExecuteNonQuery();
