黑马程序员_Dispose()与Close()的区别和Using的用法

 

SqlCommand.ExecuteScalar()判断用户登录的另一种方法:

Dispose():直接销毁,不可再次利用;

Close():关闭连接(关闭后可再次利用)

Using在除了作用域以后调用dispose,SqlConnection、FileStream的内部都会作这样的判断:判断有没有close,若没有就先 close再dispose

 

下述代码将很容易被注入攻击(如何防注入呢?):

            

            string dataDir = AppDomain.CurrentDomain.BaseDirectory;

            if(dataDir.EndsWith(@"\bin\Debug\")||dataDir .EndsWith (@"\bin\Release"))

            {

                dataDir = System.IO.Directory.GetParent(dataDir).Parent.Parent.FullName;

                AppDomain.CurrentDomain.SetData("DataDirectory",dataDir );

            }

            Console.WriteLine ("请输入用户名:");

            string UserName = Console.ReadLine();

            Console.WriteLine("请输入密码:");

            string password = Console.ReadLine();
           

                using (SqlConnection conn = new SqlConnection(@"Data Source =.\SQLEXPRESS;AttachDBFilename = |DataDirectory|\Database1.mdf;Integrated Security= true ;User Instance=true"))   //该处用 using()的目的是释放内存,以下也一样

                {
                    conn.Open();

                    using (SqlCommand com = conn.CreateCommand())

                    {

                        com.CommandText = "select count(*) from Table4 where Admin = '"+UserName+"'and PassWord= '"+password +"'";

                        int i = Convert.ToInt32(com.ExecuteScalar());

                            if(i>0)

                            {
                                Console.WriteLine ("登陆成功");
                            }

                        else

                            {

                                Console.WriteLine ("用户名或密码错误");

                            }

                    }

                }

            Console.ReadKey ();

参数化查询(不会被注入攻击):

            string dataDir = AppDomain.CurrentDomain.BaseDirectory;

            if(dataDir.EndsWith(@"\bin\Debug\")||dataDir .EndsWith (@"\bin\Release"))

            {

                dataDir = System.IO.Directory.GetParent(dataDir).Parent.Parent.FullName;

                AppDomain.CurrentDomain.SetData("DataDirectory",dataDir );

            }

            Console.WriteLine ("请输入用户名:");

            string UserName = Console.ReadLine();

            Console.WriteLine("请输入密码:");

            string password = Console.ReadLine();           

                using (SqlConnection conn = new SqlConnection(@"Data Source =.\SQLEXPRESS;AttachDBFilename = |DataDirectory|\Database1.mdf;Integrated Security= true ;User Instance=true"))   //该处用 using()的目的是释放内存,以下也一样

                { 

                    conn.Open();

                    using (SqlCommand com = conn.CreateCommand())

                    {

com.CommandText = "select count(*) from Table4 where Admin= @username and PassWord = @PassWord";

                        //注意该处的@username 和@PassWord不要和用户输入的变量同名,否则将发生未知错误

                            com.Parameters.Add(new SqlParameter ("username",UserName ));

                        com.Parameters.Add(new SqlParameter ("PassWord",password));

                        int i = Convert.ToInt32(com.ExecuteScalar());

                        if (i > 0)

                        {

                            Console.WriteLine("登陆成功");
                        }

                        else

                        {

                            Console.WriteLine("用户名或密码错误");

                        }

                    }

                }

            Console.ReadKey ();



阅读更多
想对作者说点什么? 我来说一句

没有更多推荐了,返回首页

加入CSDN,享受更精准的内容推荐,与500万程序员共同成长!
关闭
关闭