023. Asp.net参数化查询预防Sql注入攻击
1 /// <summary> 2 /// 参数化查询预防SQL注入式攻击 3 /// </summary> 4 public int checkLogin(string loginName, string loginPwd) 5 { 6 string strsql = "select count(*) from tb_LoginUser where UserName=@UserName and PassWord=@PassWord"; 7 SqlConnection conn = new SqlConnection(ConfigurationManager.AppSettings["conStr"]); 8 if (conn.State.Equals(ConnectionState.Closed))//存在,判断是否关闭 9 { 10 conn.Open(); //连接处于关闭状态,重新打开 11 } 12 SqlCommand sqlcom = new SqlCommand(strsql, conn); 13 sqlcom.Parameters.Add(new SqlParameter("@UserName", SqlDbType.NVarChar, 50)); 14 sqlcom.Parameters["@UserName"].Value = loginName; 15 sqlcom.Parameters.Add(new SqlParameter("@PassWord", SqlDbType.NVarChar, 50)); 16 sqlcom.Parameters["@PassWord"].Value = loginPwd; 17 int i = (int)sqlcom.ExecuteScalar(); 18 conn.Close(); 19 return i; 20 }