SQL注入漏洞攻击、数据库导入导出[从txt中导入导出]

1.SQL注入漏洞攻击

protected void Button1_Click(object sender, EventArgs e)        {           string constr = "data source=pc-20120907sdqu;initial catalog=shool;user id=sa;password=admin";           using (SqlConnection con = new SqlConnection(constr))           { //注入SQL注入漏洞攻击              // string sql = string.Format("select count(*) from T_Users where FuserName='{0}'and Fpassword='{1}'",txtUserName.Text.Trim(),txtPassword.Text);               string sql = "select count(*) from T_Users where FuserName=@usernaem and Fpassword=@password";               using (SqlCommand cmd = new SqlCommand(sql, con))               {                   con.Open();                   //ADO参数替换的方法避免了注入漏洞攻击                   cmd.Parameters.AddWithValue("@username", txtUserName.Text.Trim());                   cmd.Parameters.AddWithValue("@username",txtPassword.Text);                   int r=Convert.ToInt32(cmd.ExecuteScalar());                   con.Close();                   if(r>0)                   {                   Response.Write("登陆成功！");                   }                   else                   {                    Response.Write("登陆失败！");                   }               }           }        }    }

 2.数据库导入导出

namespace Sql注入漏洞攻击{    public partial class 数据导入到出 : System.Web.UI.Page    {        protected void Page_Load(object sender, EventArgs e)        {        }        protected void Button1_Click(object sender, EventArgs e)        {            string constr = "data source=.;initial catalog=UserDB1;User id=sa;password=admin";            using (SqlConnection con = new SqlConnection(constr))            {                string sql = "select * from T_Users";                using (SqlCommand cmd = new SqlCommand(sql, con))                {                    con.Open();                    using (SqlDataReader reader = cmd.ExecuteReader())                    {                        //1判断是否查询出数据                        if (reader.HasRows)                        {                            //有数据被查询出                            //当有数据的时候，就创建文本文件，并向其中写入数据。                            using (StreamWriter sw = new StreamWriter(@"E:\2012netClassPtractice\ADO详解\Sql注入漏洞攻击\tblUsers.txt"))                            {                                while (reader.Read())                                {                                    object objUserName = reader.GetValue(1);                                    object objPassword = reader.GetValue(2);                                    string line = string.Format("{0},{1}", objUserName, objPassword);                                    sw.WriteLine(line);                                }                                Response.Write("导出完毕！");                            }                        }                        else                        {                            Response.Write("数据表中没有数据，没有导出任何数据！");                        }                                        }                }            }        }        protected void Button2_Click(object sender, EventArgs e)        {            //1把文本文件导入到数据库的数据表中，先读取文本文件，然后再插入到数据库的数据表中。            using ( StreamReader sr = new StreamReader(@"E:\2012netClassPtractice\ADO详解\Sql注入漏洞攻击\tblUsers.txt"))            {                               string constr = "data source=.;initial catalog=UserDB1;User id=sa;password=admin";                using (SqlConnection con = new SqlConnection(constr))                {                    string sql = "insert into T_Users (FuserName,Fpassword) values(@username,@password)";                    using (SqlCommand cmd = new SqlCommand(sql, con))                    {                        //解决方案2，在循环外定义 参数变量，在循环内赋值。                        SqlParameter p1 = new SqlParameter("@username", System.Data.SqlDbType.VarChar);                        SqlParameter p2 = new SqlParameter("@password", System.Data.SqlDbType.VarChar);                         cmd.Parameters.Add(p1);                        cmd.Parameters.Add(p2);                        while (!sr.EndOfStream)                        {                            string line = sr.ReadLine();                            string[] columns = line.Split(',');                            #region 测试是否读出了文本文件                            //Response.Write(columns[0]+" "+columns[1]+"<br>");                            #endregion                            #region 将读出的内容放到数据库中                            //SqlParameter p1 = new SqlParameter("@username",columns[0]);                            //SqlParameter p2 = new SqlParameter("@password", columns[1]);                                                                                 con.Open();                              p1.Value = columns[0];                            p2.Value = columns[1];                            cmd.ExecuteNonQuery();                            //cmd.Parameters.Clear();//解决方法1。                            con.Close();                            #endregion                        }                        Response.Write("导入到数据库已完毕");                    }                }                            }        }    }}