获取多个函数中的布尔值。 [英] Get Boolean value in multiple functions.

问题描述

我是ASP.net的新手，我想验证用户代码，如果存在，将跟随代码工作???

Hi,
I am new in ASP.net, I want to validation user code if exists, will following code work???

public class ServiceAPI : IServiceAPI
   {
       SqlConnection dbConnection;
       string errormessage;
       private static Boolean yeUserCod;
       public ServiceAPI()
       {
           dbConnection = DBConnect.getConnection();
       }

       public void CreateNewAccount(string firstName, string lastName, string country)
       {
          userValidation(firstName);

           if (yeUserCod == true)
           {
               if (dbConnection.State.ToString() == "Closed")
               {
                   dbConnection.Open();

               }

               string q_intery = "INSERT INTO UserDetails VALUES ('" + firstName + "','" + lastName + "','" + country + "');";
               SqlCommand command = new SqlCommand(q_intery, dbConnection);
               SqlDataReader reader = command.ExecuteReader();
               command.ExecuteNonQuery();
               dbConnection.Close();
           }
           else {
              throw new HttpResponseException(HttpStatusCode.NotFound);
                }

       }


       public bool userValidation(string firstName)
       {

           yeUserCod = false;

         if (dbConnection.State.ToString() == "Closed")
           {
               dbConnection.Open();
           }
            string query = "SELECT stkmst_code WHERE stkmst_code ='" + firstName + "';";
           SqlCommand command = new SqlCommand(query, dbConnection);
           SqlDataReader reader = command.ExecuteReader();

           if (reader.HasRows)
           {
              yeUserCod = true;
           }
           else
           {
               throw new HttpResponseException(HttpStatusCode.NotFound);
           }
           dbConnection.Close();
           return yeUserCod;
       }

推荐答案

不，这段代码对于任何不是纯娱乐的东西肯定是不安全的（甚至那...）。



主要问题是使用通过连接从用户输入获得的字符串构建的SQL查询进行用户验证。这使您的代码为SQL注入攻击打开，有人可以完全擦除您的数据库。我很确定这不是你想要的。



在你最喜欢的搜索引擎上搜索C＃Parameterized Queries。



类似于：

No, this code is definitely unsafe for whatever which is not pure entertainment (and even that...).

The main problem is the user validation using sql queries built by concatenating strings obtained from user input. This leaves your code opened for SQL injection attacks, where someone can completely wipe off your database. I'm pretty sure that is not what you want.

Search for "C# Parameterized Queries" on your favorite search-engine.

Something like:

string query = "SELECT stkmst_code WHERE stkmst_code = @firstname;";
SqlCommand command = new SqlCommand(query, dbConnection);
command.Parameters.AddWithValue("@firstName", firstName);

另外一个查询也必须修改。您有这个想法，现在由您来应用模式。

The other query has to be modified, also. You have the idea, now up to you to apply the pattern.

这篇关于获取多个函数中的布尔值。的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！