SqlCommand cmd = new SqlCommand("select UserName from Security_tbUser "
+ " where UserName='" + UserName
+ "' and Password='" + hashedPass + "'", conn);
这种写法,会产生漏洞。 SQL注入功击
使用
SqlCommand cmd = new SqlCommand("select UserName from Security_tbUser" +
" where UserName=@UserName and Password=@Password", conn);
cmd.Parameters.Add(new SqlParameter("@UserName", UserName));
cmd.Parameters.Add(new SqlParameter("@Password", hashedPass));
bool RetVal = null != cmd.ExecuteScalar();
return RetVal;