using (SqlConnection conn = new SqlConnection(
"Data Source = .;Initial Catalog = DB1;User ID = sa;Password = zxcasd"))
{
conn.Open();
using (SqlCommand cmd = conn.CreateCommand())
{
//下面拼接字符串会有SQL注入漏洞,输入 1' or '1' = '1
//cmd.CommandText = "select * from T_student where Name = '"+tbQuery.Text+"'";
//使用查询参数可以避免SQL注入漏洞
cmd.CommandText = "select * from T_student where Name = @Name";
cmd.Parameters.Add(new SqlParameter("@Name", tbQuery.Text));
using (SqlDataReader reader = cmd.ExecuteReader())
{
while (reader.Read())
{
string name = reader.GetString(4);
MessageBox.Show(name);
}
}
}
}
避免SQL注入漏洞攻击
最新推荐文章于 2023-01-31 22:05:12 发布