C#使用SQL语句时候的万用密码问题

实际上万用密码就是因为SQL里面的语句--是注释,利用bug添加用户名和密码。

例如,用户名为 adada’ or 1=1--

第一个种写法登录成功了

1

第二种写法登录失败(正确)

2

第三种写法登录失败(正确)

 

3

 

测试代码

数据库部分

create database ThreeDb
go
USE ThreeDb;
GO
CREATE TABLE classify   --分类表
(
    id int primary key identity(1,1),
    name nvarchar(20) not null
)

GO
CREATE TABLE product  --产品表
(
    id int primary key identity(1,1),
    name nvarchar(20) not null,
    price decimal,
    number int default 0,
    c_id int FOREIGN KEY references classify(id)    
)
GO

CREATE TABLE users
(
    id int primary key identity(1,1),
    name nvarchar(20) not null,
    pwd nvarchar(20) not null
)
GO

--添加分类测试数据
insert into classify(name) values('图书');
insert into classify(name) values('家电');
insert into classify(name) values('服饰');

--添加users的测试数据
insert into users(name,pwd) values('admin','admin');

--添加商品测试数据
insert into product(name,price,number,c_id) values('arduino基础版',168,50,1);
insert into product(name,price,number,c_id) values('arduino提高版',268,50,1);
insert into product(name,price,number,c_id) values('arduino至尊版',468,50,1);
insert into product(name,price,number,c_id) values('比基尼',68,50,3);
insert into product(name,price,number,c_id) values('虎皮裙',168,50,3);
insert into product(name,price,number,c_id) values('长靴',368,50,3);
insert into product(name,price,number,c_id) values('电冰箱',3268,50,2);
insert into product(name,price,number,c_id) values('烘干机',2268,50,2);
GO

select count(*) from users where name='admin' and pwd='admin'
go

select count(*) from users where name='xxxdadad' or 1=1 --' and pwd='admin'
go

select * from classify;
go
select * from product order by c_id;
go

C#部分

form1.cs

 

using System;
using System.Collections.Generic;
using System.ComponentModel;
using System.Data;
using System.Drawing;
using System.Linq;
using System.Text;
using System.Windows.Forms;
using System.Data.SqlClient;
using System.Configuration;

namespace AdoTestForm
{ 
    public partial class Form1 : Form
    {
        string constr = "server=QT-201303030913;database=ThreeDb;uid=sa;pwd=daxiang";
        public Form1()
        {
            InitializeComponent();
        }

        private void Form1_Load(object sender, EventArgs e)
        {
            comboBox1.Text = "0-->全部分类";
            //确定数据库连接字符串
            //string constr = "server=QT-201303030913;database=OneDb;uid=sa;pwd=daxiang";
            //string constr = ConfigurationManager.ConnectionStrings["str"].ConnectionString;
            //实例化一个数据库连接的对象
            SqlConnection conn = new SqlConnection(constr);
            //打开数据库连接
            conn.Open();
            //实例化SqlCommand对象(该对象主要用于执行Sql命令)
            SqlCommand cmd = new SqlCommand();
            //指定要执行的SQL语句或者存储过程名称
            cmd.CommandText = "select id,name from classify";
            //确定上面为CommandText类型所赋的值是SQL语句还是存储过程名称
            cmd.CommandType = CommandType.Text;
            //指定该命令所用的数据库连接
            cmd.Connection = conn;
            //声明一个SqlDataReader(数据流对象),并将cmd执行后的结果交给它
            SqlDataReader sdr = cmd.ExecuteReader();

            //循环整个SqlDataReader对象,将里面的值取出来添加到ListBox中
            //sdr.Read()的作用是前进到下一条记录,这也说明SqlDataReader中的数据是一行行放置的
            while (sdr.Read())
            {
                //将数据流中的第一列的值添加到listBox1的项中
                comboBox1.Items.Add(sdr[0]+"-->"+sdr["name"]);
                //上面这句也可以用下面这句代替,sdr["name"]表示当前sdr的name列的值
                //comboBox1.Items.Add(str["name"]);
            }
            //关闭数据流
            sdr.Close();
            //关闭数据库连接
            conn.Close();

            using (SqlConnection conn2 = new SqlConnection(constr))
            {
                conn2.Open();
                SqlCommand cmd2 = new SqlCommand("select count(*) from product", conn2);
                string sum = cmd2.ExecuteScalar().ToString();
                label2.Text = string.Format("共计{0}件商品",sum);
            }

        }

        private void button1_Click(object sender, EventArgs e)
        {
            if (comboBox1.Text != "0-->全部分类")
            {
                string constr = "server=QT-201303030913;database=ThreeDb;uid=sa;pwd=daxiang";
                //实例化一个数据库连接的对象
                SqlConnection conn = new SqlConnection(constr);
                //打开数据库连接
                conn.Open();
                //实例化SqlCommand对象(该对象主要用于执行Sql命令)
                SqlCommand cmd = new SqlCommand();

                //获取分类的id
                //int i = comboBox1.Text.IndexOf("-->");//获取字符串中-->所在位置索引
                string id = comboBox1.Text.Substring(0, 1);//只获取-->之前的字符

                //指定要执行的SQL语句和存储过程名字
                cmd.CommandText = "select * from product where c_id=" + id;
                //去顶上面的CommandText属性所赋值到底是sql还是存储过程名称
                cmd.CommandType = CommandType.Text;
                //指定该命令所用的数据库连接
                cmd.Connection = conn;
                //声明一个SqlDataReader(数据流对象),并将cmd执行后的结果交给它
                SqlDataReader sdr = cmd.ExecuteReader();

                //清空listBox中的项
                listBox1.Items.Clear();

                //循环整个SqlDataReader对象,将里面的值取出来添加到ListBox中
                //sdr.Read()的作用是前进到下一条记录,这也说明SqlDataReader中的数据是一行行放置的
                while (sdr.Read())
                {
                    //将数据流中的第一列的值添加到listBox1的项中
                    listBox1.Items.Add(sdr["id"]+":"+sdr["name"]);

                }
                //关闭数据流
                sdr.Close();
                //关闭数据库连接
                conn.Close();
            }
        }

        private void listBox1_SelectedIndexChanged(object sender, EventArgs e)
        {
            button2.Text = "修改";

            using (SqlConnection conn = new SqlConnection(constr))
            {
                int index = listBox1.Text.IndexOf(":"); //获取-的位置
                string id = listBox1.Text.Substring(0,index);//只获取-之前的字符

                string sql = "select * from product where id=" + id;
                SqlCommand cmd = new SqlCommand(sql, conn);
                conn.Open();

                SqlDataReader sdr = cmd.ExecuteReader();
                while(sdr.Read())
                {
                    tb_name.Text = sdr["name"].ToString();
                    tb_price.Text = sdr["price"].ToString();
                    tb_number.Text = sdr["number"].ToString();
                }
                sdr.Close();
            }
        }

        private void button2_Click(object sender, EventArgs e)
        {
            switch (((Button)sender).Text)
            {
                case "添加":
                    using (SqlConnection conn = new SqlConnection(constr))
                    {
                        int index = comboBox1.Text.IndexOf("-->");
                        string id = comboBox1.Text.Substring(0, index);

                        if (int.Parse(id) > 0)
                        {
                            string sql = "insert into product(name,price,number,c_id) values('"+ tb_name.Text +"',"+ tb_price.Text+ ","+ tb_number.Text +","+ id + ")";
                            SqlCommand cmd = new SqlCommand(sql, conn);
                            conn.Open();
                            int i = cmd.ExecuteNonQuery();
                            if (i > 0)
                            {
                                MessageBox.Show("添加成功" + i.ToString() + "行数据");
                            }
                            else
                            {
                                MessageBox.Show("好囧,一行数据都没加上");
                            }

                        }
                        else
                        {
                            MessageBox.Show("你敢不敢先选个分类,亲!");
                        }
                    }
                    break;
                case "修改":
                    using (SqlConnection conn = new SqlConnection(constr))
                    {
                        //获取当前选择行的id
                        int index = listBox1.Text.IndexOf(":");
                        string id = listBox1.Text.Substring(0, index);

                        //获取分类的id
                        int index2 = comboBox1.Text.IndexOf("-->");
                        string c_id = comboBox1.Text.Substring(0, index2);

                        string sql = "UPDATE product SET name = '" + tb_name.Text + "',price =" + tb_price.Text + ",number = " + tb_number.Text + ",c_id = " + c_id + "WHERE id = "+id;
                        SqlCommand cmd = new SqlCommand(sql, conn);
                        conn.Open();

                        int i = cmd.ExecuteNonQuery();
                        if (i > 0)
                        {
                            MessageBox.Show("修改成功" + i.ToString() + "行数据");
                        }
                        else
                        {
                            MessageBox.Show("好囧,一行数据都没修改到");
                        }
                        
                    }

                    break;
            }
        }

        private void button3_Click(object sender, EventArgs e)
        {
            using (SqlConnection conn = new SqlConnection(constr))
            {
                //获取当前选择行的id
                int index = listBox1.Text.IndexOf(":");
                string id = listBox1.Text.Substring(0, index);

                string sql = "delete from product WHERE id = " + id;
                SqlCommand cmd = new SqlCommand(sql, conn);
                conn.Open();

                int i = cmd.ExecuteNonQuery();
                if (i > 0)
                {
                    MessageBox.Show("删除成功" + i.ToString() + "行数据");
                }
                else
                {
                    MessageBox.Show("好囧,一行数据都没删除到");
                }

            }
        }

        //当前窗体关闭,则推出当前程序
        private void Form1_FormClosing(object sender, FormClosingEventArgs e)
        {
            Application.Exit();
        }


        //private void listBox1_SelectedIndexChanged(object sender, EventArgs e)
        //{
        //    if (listBox1.SelectedItems.Count > 0)
        //    {
        //        string constr = "server=QT-201303030913;database=ThreeDb;uid=sa;pwd=daxiang";
        //        //实例化一个数据库连接的对象
        //        SqlConnection conn = new SqlConnection(constr);
        //        //打开数据库连接
        //        conn.Open();
        //        //实例化SqlCommand对象(该对象主要用于执行Sql命令)
        //        SqlCommand cmd = new SqlCommand();

        //        //获取分类的id
        //        //int i = comboBox1.Text.IndexOf("-->");//获取字符串中-->所在位置索引
        //        string id = comboBox1.Text.Substring(0, 1);//只获取-->之前的字符

        //        //指定要执行的SQL语句和存储过程名字
        //        cmd.CommandText = "select * from product where c_id=" + id;
        //        //去顶上面的CommandText属性所赋值到底是sql还是存储过程名称
        //        cmd.CommandType = CommandType.Text;
        //        //指定该命令所用的数据库连接
        //        cmd.Connection = conn;
        //        //声明一个SqlDataReader(数据流对象),并将cmd执行后的结果交给它
        //        SqlDataReader sdr = cmd.ExecuteReader();


        //        //循环整个SqlDataReader对象,将里面的值取出来添加到ListBox中
        //        //sdr.Read()的作用是前进到下一条记录,这也说明SqlDataReader中的数据是一行行放置的
        //        while (sdr.Read())
        //        {
        //            if (sdr["name"].ToString() == listBox1.SelectedItem.ToString())
        //            {
        //                lbl_name.Text = sdr["name"].ToString();
        //                lbl_price.Text = sdr["price"].ToString();
        //                lbl_number.Text = sdr["number"].ToString();
        //                lbl_c_id.Text = comboBox1.Text;
        //            }
        //        }
        //        //关闭数据流
        //        sdr.Close();
        //        //关闭数据库连接
        //        conn.Close();
        //    }
        //}
    }
}

 

 

form2.cs

using System;
using System.Collections.Generic;
using System.ComponentModel;
using System.Data;
using System.Drawing;
using System.Linq;
using System.Text;
using System.Windows.Forms;
using System.Data.SqlClient;

namespace AdoTestForm
{
    public partial class Form2 : Form
    {
        public Form2()
        {
            InitializeComponent();
        }

        private void button1_Click(object sender, EventArgs e)
        {
            string constr = "server=QT-201303030913;database=ThreeDb;uid=sa;pwd=daxiang";
            SqlConnection conn = new SqlConnection(constr);
            SqlCommand cmd = new SqlCommand();

            try
            {
                conn.Open();
                cmd.CommandText = "select count(*) from users where name='" + tb_uname.Text + "' and pwd = '" + tb_pwd.Text + "'";
                cmd.Connection = conn;
                int count = Convert.ToInt32(cmd.ExecuteScalar());
                if (count > 0)
                {
                    MessageBox.Show("哈哈,登陆上了哦!");
                }
                else
                {
                    MessageBox.Show("插,忘记密码了!");
                }
            }
            catch (System.Exception ex)
            {
                MessageBox.Show(ex.Message);
                return;
            }
            finally
            {
                conn.Close();
            }
            #region 使用参数

            try
            {
                conn.Open();
                cmd.CommandText = "select count(*) from users where name=@name and pwd=@pwd";
                cmd.Connection = conn;

                //参数
                cmd.Parameters.AddWithValue("@name", tb_uname.Text);
                cmd.Parameters.AddWithValue("@pwd", tb_pwd.Text);
                int count = Convert.ToInt32(cmd.ExecuteScalar());
                if (count > 0)
                {
                    MessageBox.Show("哈哈,登陆上了哦!");
                }
                else
                {
                    MessageBox.Show("插,忘记密码了!");
                }
                ;
            }
            catch (System.Exception ex)
            {
                MessageBox.Show(ex.Message);
                return;
            }
            finally
            {
                conn.Close();
            }
            #endregion

            //参数化类
            try
            {
                conn.Open();
                cmd.CommandText = "select count(*) from users where name=@name1 and pwd=@pwd1";
                cmd.Connection = conn;

                //参数
                //方式1
                SqlParameter uname = new SqlParameter("@name1", SqlDbType.VarChar, 40, "name");
                uname.Value = tb_uname.Text;
                //方式2
                SqlParameter pwd = new SqlParameter("@pwd1", tb_pwd.Text);

                cmd.Parameters.Add(uname);
                cmd.Parameters.Add(pwd);


                int count = Convert.ToInt32(cmd.ExecuteScalar());
                if (count > 0)
                {
                    MessageBox.Show("哈哈,登陆上了哦!");
                }
                else
                {
                    MessageBox.Show("插,忘记密码了!");
                }
                ;
            }
            catch (System.Exception ex)
            {
                MessageBox.Show(ex.Message);
                return;
            }
            finally
            {
                conn.Close();
            }

        }

        private void button2_Click(object sender, EventArgs e)
        {
            Form1 f1 = new Form1();
            f1.Show();
            this.Hide();
        }



    }
}

 

form1和form2的设计界面

1 2

posted on 2013-11-12 18:25  神秘藏宝室  阅读(693)  评论(0编辑  收藏  举报

 >>>转载请注明出处<<<