2012飞

just do it,believe yourself. 努力和汗水成就梦想
  博客园  :: 首页  :: 新随笔  :: 联系 :: 订阅 订阅  :: 管理

C# 防止SQL注入 转载的

Posted on 2015-02-01 16:26  2012飞  阅读(739)  评论(0编辑  收藏  举报

C# 防止SQL注入攻击

http://blog.csdn.net/limlimlim/article/details/8629582
 
l登录判断:select * from T_Users where UserName=... and Password=...,将参数拼到SQL语句中。
l构造恶意的Password:hello' or 1=1 --
l                      if (dataReader.Read())
l                        {
l                            MessageBox.Show("登陆成功");
l                        }
l                        else
l                        {
l                            MessageBox.Show("登陆失败");
l                        }
l防范注入漏洞攻击的方法:不使用SQL语句拼接,通过参数赋值

          

           string constr = "Data Source=zxtiger;Initial Catalog=itcastcn;Integrated Security=True";
            using (SqlConnection con = new SqlConnection(constr))
            {
                string sql = "select count(*) from UserLogin where LoginId=@uid and LoginPwd=@pwd";
                using (SqlCommand cmd = new SqlCommand(sql, con))
                {
                    ////在执行之前告诉Command对象@uid与@pwd将来用谁来代替
                    ////为变量@uid与@pwd赋值
                    //cmd.Parameters.AddWithValue("@uid", txtUid.Text.Trim());
                    //cmd.Parameters.AddWithValue("@pwd", txtPwd.Text);
                    #region MyRegion
                    //SqlParameter p1 = new SqlParameter("@uid", txtUid.Text.Trim());
                    //cmd.Parameters.Add(p1);

                    //SqlParameter p2 = new SqlParameter("@pwd", txtPwd.Text);
                    //cmd.Parameters.Add(p2);
                    #endregion

                   
                    SqlParameter[] pms = new SqlParameter[] {
                    new SqlParameter("@uid", txtUid.Text.Trim()),
                    new SqlParameter("@pwd", txtPwd.Text)
                    };
                    cmd.Parameters.AddRange(pms);


                    con.Open();
                    int r = Convert.ToInt32(cmd.ExecuteScalar());
                    con.Close();
                    if (r > 0)
                    {
                        MessageBox.Show("登录成功!");
                    }
                    else
                    {
                        MessageBox.Show("登录失败!");
                    }
                }
            }