参数化提交SQL语句和拼接SQL语句安全性分析 SQL注入 简单对比分析

2016-12-30 09:56:21来源:oschina作者:深圳大道人点击

第七城市
<%@ Page Language="C#" AutoEventWireup="true" CodeFile="LoginTest.aspx.cs" Inherits="LoginTest" %>



参数化提交SQL语句和拼接SQL语句安全性分析 SQL注入 简单对比分析




用户名:





密码:












using System;
using System.Collections.Generic;
using System.Data;
using System.Data.Common;
using System.Data.SqlClient;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
using MSCL;
public partial class LoginTest : System.Web.UI.Page
{
protected void Page_Load(object sender, EventArgs e)
{
//本文仅对 参数化提交SQL语句和拼接SQL语句安全性分析 SQL注入 简单对比分析
//至于各位在程序中 进行SQL危险字符检测和过滤 不在此讨论范围
}
protected void Button1_Click(object sender, EventArgs e)
{
string UserName = TextBox1.Text.Trim();
string Pwd = TextBox2.Text.Trim();
//实例化Connection对象
SqlConnection connection = new SqlConnection("server=localhost;database=demo;uid=sa;pwd=smile");
connection.Open();
//实例化Command对象
SqlCommand command = new SqlCommand("SELECT COUNT(*) FROM USERINFO WHERE USERNAME=@USERNAME AND UPWD=@UPWD", connection);
//第一种添加查询参数的例子
SqlParameter para1 = new SqlParameter("@USERNAME", SqlDbType.NVarChar, 50);
para1.Value = UserName;
command.Parameters.Add(para1);//添加参数
SqlParameter para2 = new SqlParameter("@UPWD", SqlDbType.NVarChar, 50);
para2.Value = Pwd;
command.Parameters.Add(para2);//添加参数
try
{
int i = Convert.ToInt32(command.ExecuteScalar());
if (i > 0)
{
Response.Write("成功");
}
else
{
Response.Write("失败");
}
}
catch { }
finally
{
connection.Close();
}

/*
SqlParameter[] parameters ={
new SqlParameter("@USERNAME",SqlDbType.NVarChar,50),
new SqlParameter("@UPWD",SqlDbType.NVarChar,50)};
parameters[0].Value = UserName;
parameters[1].Value = Pwd;
string sql = "SELECT COUNT(*) FROM USERINFO WHERE USERNAME=@USERNAME AND UPWD=@UPWD";
int i = Convert.ToInt32(MSCL.SqlHelper.GetSingle(sql, parameters));
if (i > 0)
{
Response.Write("成功");
}
else
{
Response.Write("失败");
}
*/
}
protected void Button2_Click(object sender, EventArgs e)
{
string UserName = TextBox1.Text.Trim(); //随便输入
string Pwd = TextBox2.Text.Trim(); //典型SQL登陆注入 输入a' or '1'='1
object obj = MSCL.SqlHelper.GetSingle("SELECT COUNT(*) FROM USERINFO WHERE USERNAME='" + UserName + "' AND UPWD='" + Pwd + "' ");
if (Convert.ToInt32(obj) > 0)
{
Response.Write("成功");
}
else
{
Response.Write("失败");
}
}
}

第七城市

最新文章

123

最新摄影

微信扫一扫

第七城市微信公众平台