ado.net sqlserver 注入漏洞问题
来源:互联网 发布:淘宝怎么查一年前订单 编辑:程序博客网 时间:2024/06/16 12:49
using System;using System.Collections.Generic;using System.Linq;using System.Text;using System.Data.SqlClient;namespace login1{ class Program { static void Main(string[] args) { Console.WriteLine("请输入用户名:"); string username = Console.ReadLine(); Console.WriteLine("请输入密码:"); string password = Console.ReadLine();//当输入1'or'1'='1时会形成注入漏洞 //连链数据库 using (SqlConnection conn = new SqlConnection (@"data source=.\SQLEXPRESS;Integrated Security=SSPI;AttachDBFilename=D:\My Documents\Visual Studio 2008\Projects\ado.net\ado.net\Database1.mdf;User Instance=true")) { conn.Open(); using(SqlCommand cmd=conn.CreateCommand()) { //使用参数化的形式防止注入漏洞,不要使用字符并接(cmd.CommandText="select*from mytable1 where name='"+name+"',password='"+password+"'";) //@un :类似于占位符 cmd.CommandText = "select count(*) from mytable2 where username=@un and password=@p"; cmd.Parameters.Add(new SqlParameter("un",username)); cmd.Parameters.Add(new SqlParameter("p", password)); //cmd.ExecuteScalar()以object的形式返回搜索结果的第一行第一列 int i = Convert.ToInt32(cmd.ExecuteScalar()); if (i > 0) { Console.WriteLine("登录成功!"); } else { Console.WriteLine("用户名或密码错误!"); } } } Console.ReadKey(); } }}