防范注入漏洞攻击的方法:不使用SQL语句拼接,通过参数赋值
SQL注入实例演示:
登录判断:select * from T_Users where UserName=... and Password=...,将参数拼到SQL语句中。
构造恶意的Password:hello' or 1=1 --
if (dataReader.Read())
{
MessageBox.Show("登陆成功");
}
else
{
MessageBox.Show("登陆失败");
}
string constr = "Data Source=zxtiger;Initial Catalog=itcastcn;Integrated Security=True";
using (SqlConnection con = new SqlConnection(constr))
{
string sql = "select count(*) from UserLogin where LoginId=@uid and LoginPwd=@pwd";
using (SqlCommand cmd = new SqlCommand(sql, con))
{
//在执行之前告诉Command对象@uid与@pwd将来用谁来代替
//为变量@uid与@pwd赋值
//方法一
//cmd.Parameters.AddWithValue("@uid", txtUid.Text.Trim());
//cmd.Parameters.AddWithValue("@pwd", txtPwd.Text);
//方法二
//SqlParameter p1 = new SqlParameter("@uid", txtUid.Text.Trim());
//cmd.Parameters.Add(p1);
//SqlParameter p2 = new SqlParameter("@pwd", txtPwd.Text);
//cmd.Parameters.Add(p2);
//方法三
SqlParameter[] pms = new SqlParameter[] {
new SqlParameter("@uid", txtUid.Text.Trim()),
new SqlParameter("@pwd", txtPwd.Text)
cmd.Parameters.AddRange(pms);
};
con.Open();
int r = Convert.ToInt32(cmd.ExecuteScalar());
con.Close();
if (r > 0)
{
MessageBox.Show("登录成功!");
}
else
{
MessageBox.Show("登录失败!");
}
}