asp.net bbs源码分析

asp.ne bbst源码分析

 

---

 

1.登陆页面

 

---

 

1.登陆页面

 

登陆页面中需要注意的大致上就是两条：如何实现验证码？如何防止sql注入。

 

1.如何实现验证码？

 

验证码简单的实现可以通过在服务器端生成一个图片完成。前台的话添加一个img html控件，onclick事件中重新加载checkcode页面。后台中使用dotnet类库中自带的drawing来实现生成一个图片。代码即文档，代码如下：

 

<img id="Img1" alt="看不清，请点击我！" οnclick="this.src=this.src+'?'" src="../ProjectBBS/CheckCode.aspx" mce_src="ProjectBBS/CheckCode.aspx" style="width: 73px; height: 22px" align="left" /></td> 

 

public partial class _Default : System.Web.UI.Page { protected void Page_Load(object sender, EventArgs e) { CreateCheckCodeImage(GenerateCheckCode()); } private string GenerateCheckCode() { int number; char code; string checkCode = String.Empty; Random random = new Random(); for (int i = 0; i < 4; i++) { number = random.Next(); code = (char)('0' + (char)(number % 10)); checkCode += code.ToString(); } Response.Cookies.Add(new HttpCookie("CheckCode", checkCode)); return checkCode; } private void CreateCheckCodeImage(string checkCode) { if (checkCode == null || checkCode.Trim() == String.Empty) return; System.Drawing.Bitmap image = new System.Drawing.Bitmap((int)Math.Ceiling((checkCode.Length * 12.5)), 22); Graphics g = Graphics.FromImage(image); try { //生成随机生成器 Random random = new Random(); //清空图片背景色 g.Clear(Color.White); //画图片的背景噪音线 for (int i = 0; i < 2; i++) { int x1 = random.Next(image.Width); int x2 = random.Next(image.Width); int y1 = random.Next(image.Height); int y2 = random.Next(image.Height); g.DrawLine(new Pen(Color.Black), x1, y1, x2, y2); } Font font = new System.Drawing.Font("Arial", 12, (System.Drawing.FontStyle.Bold)); System.Drawing.Drawing2D.LinearGradientBrush brush = new System.Drawing.Drawing2D.LinearGradientBrush(new Rectangle(0, 0, image.Width, image.Height), Color.Blue, Color.DarkRed, 1.2f, true); g.DrawString(checkCode, font, brush, 2, 2); //画图片的前景噪音点 for (int i = 0; i < 100; i++) { int x = random.Next(image.Width); int y = random.Next(image.Height); image.SetPixel(x, y, Color.FromArgb(random.Next())); } //画图片的边框线 g.DrawRectangle(new Pen(Color.Silver), 0, 0, image.Width - 1, image.Height - 1); System.IO.MemoryStream ms = new System.IO.MemoryStream(); image.Save(ms, System.Drawing.Imaging.ImageFormat.Gif); Response.ClearContent(); Response.ContentType = "image/Gif"; Response.BinaryWrite(ms.ToArray()); } finally { g.Dispose(); image.Dispose(); } } }   

 

 

---

 

 

2.登陆验证如何去避免sql注入？

 

微软的官方网站中有一篇文章详细介绍防止sql注入：http://msdn.microsoft.com/en-us/library/ff648339.aspx。其中主要内容如下：

 

2.1输入验证，永远不要相信用户输入

 

using System; using System.Text.RegularExpressions; public void CreateNewUserAccount(string name, string password) { // Check name contains only lower case or upper case letters, // the apostrophe, a dot, or white space. Also check it is // between 1 and 40 characters long if ( !Regex.IsMatch(userIDTxt.Text, @"^[a-zA-Z'./s]{1,40}$")) throw new FormatException("Invalid name format"); // Check password contains at least one digit, one lower case // letter, one uppercase letter, and is between 8 and 10 // characters long if ( !Regex.IsMatch(passwordTxt.Text, @"^(?=.*/d)(?=.*[a-z])(?=.*[A-Z]).{8,10}$" )) throw new FormatException("Invalid password format"); // Perform data access logic (using type safe parameters) ... }

 

2.2 使用存储过称

 

 using System.Data; using System.Data.SqlClient; using (SqlConnection connection = new SqlConnection(connectionString)) { DataSet userDataset = new DataSet(); SqlDataAdapter myCommand = new SqlDataAdapter( "LoginStoredProcedure", connection); myCommand.SelectCommand.CommandType = CommandType.StoredProcedure; myCommand.SelectCommand.Parameters.Add("@au_id", SqlDbType.VarChar, 11); myCommand.SelectCommand.Parameters["@au_id"].Value = SSN.Text; myCommand.Fill(userDataset); }

 

在执行过程中，@au_id中传递的值是当做纯文本的，不会产生sql注入问题。但是这种情况下需要注意的原有的存储过程是如何编写的。如果是下面的存储过程的话，还是起不到防止注入的功能。

 

CREATE PROCEDURE dbo.RunQuery @var ntext AS exec sp_executesql @var GO

 

2.3 使用参数化的动态sql（字符串拼接的形式）

 

using System.Data; using System.Data.SqlClient; using (SqlConnection connection = new SqlConnection(connectionString)) { DataSet userDataset = new DataSet(); SqlDataAdapter myDataAdapter = new SqlDataAdapter( "SELECT au_lname, au_fname FROM Authors WHERE au_id = @au_id", connection); myCommand.SelectCommand.Parameters.Add("@au_id", SqlDbType.VarChar, 11); myCommand.SelectCommand.Parameters["@au_id"].Value = SSN.Text; myDataAdapter.Fill(userDataset); }

 

2.4 数据库权限

 

如果是查询数据库的话，将权限设置的低一点