1.登陆页面
危险代码
代码
Dim query As String = String.Format("SELECT username, password FROM userinfo WHERE username='{0}' AND password='{1}'", userName, passwd)
Dim cmd As New SqlCommand(query, conn)
conn.Open()
Dim rdr As SqlDataReader = cmd.ExecuteReader()
Try
If rdr.HasRows() Then
改善代码:
代码
Dim cmd As New SqlCommand("select username, password from userinfo where username=@username and password=@passwd", conn)
Dim param As SqlParameter = cmd.Parameters.Add("@username", SqlDbType.NVarChar, 30)
param.Value = userName
param = cmd.Parameters.Add("@passwd", SqlDbType.NVarChar, 30)
param.Value = passwd
conn.Open()
Dim rdr As SqlDataReader = cmd.ExecuteReader()
Dim ok As Boolean = False
Try
If rdr.HasRows() Then
防止JavaScript代码攻击:
Msg.Text = String.Format("Invalid Logon for {0}, please try again", Server.HtmlEncode(userName))
