如何防止登录时进行SQL注入 [英] how to prevent sql injection on login

问题描述

我有两个文本框
用户名使用Textbox1，密码使用Textbox2

I have two text box
Textbox1 for user name and Textbox2 for password

string s = "select UserName,Password,Designation from Login where UserName='" + TextBox1.Text + "'and  Password='" + TextBox2.Text + "'";
 SqlCommand cmd1 = new SqlCommand(s, con);
                SqlDataReader dr = cmd1.ExecuteReader(CommandBehavior.SingleRow);

how to prevent sql injection?

推荐答案

使用参数化查询

Use parametrized Query

string s = "select UserName,Password,Designation from Login where UserName=@uname and  Password=@pass;
 SqlCommand cmd1 = new SqlCommand(s, con);
cmd1.Parameters.AddWithValue("uname",TextBox1.Text);
cmd1.Parameters.AddWithValue("pass",TextBox2.Text);
                SqlDataReader dr = cmd1.ExecuteReader(CommandBehavior.SingleRow);

一些讨论避免SQL注入的链接:
SQL注入攻击以及有关如何预防的一些提示他们 [ ^ ]

http://msdn.microsoft.com/en-us/library/ff648339.aspx [ ^ ]

http://www.mikesdotnetting.com/Article/113/Preventing-SQL- Injection-in-ASP.NET [ ^ ]

Some links that talks about avoiding SQL Injection:
SQL Injection Attacks and Some Tips on How to Prevent Them[^]

http://msdn.microsoft.com/en-us/library/ff648339.aspx[^]

http://www.mikesdotnetting.com/Article/113/Preventing-SQL-Injection-in-ASP.NET[^]

这篇关于如何防止登录时进行SQL注入的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！