防止MYSQL注入? [英] Good prevention from MYSQL injection?

问题描述

因此，我制作了一个表单，供您从数据库登录.代码应具有自我解释性.

So I've made a form where you login from a DB. Code should be self explanatory.

private void button1_Click(object sender, EventArgs e)
{
    try
    {
        string MyConnection = "datasource=localhost;port=3306;username=root;password=xdmemes123";
        MySqlConnection myConn = new MySqlConnection(MyConnection);
        MySqlCommand SelectCommand = new MySqlCommand("select * from life.players where DBname='"  + this.username.Text + "' and DBpass='" + this.password.Text +"' ; ", myConn);
        MySqlDataReader myReader;
        myConn.Open();
        myReader = SelectCommand.ExecuteReader();
        int count = 0;
        while (myReader.Read())
        {
            count = count + 1;
        }
        if (count == 1)
        {
            Properties.Settings.Default.Security = "Secure";
            Properties.Settings.Default.AdminName = username.Text;
            Properties.Settings.Default.AdminPass = password.Text;
            Properties.Settings.Default.Save();
            MessageBox.Show("Logged in");
            this.Hide();
            Form2 f2 = new Form2();
            f2.ShowDialog();
        }
        else if (count > 1)
        {
            Properties.Settings.Default.Security = "Insecure";
            MessageBox.Show("Incorrect!");
        }
        else
        {
            Properties.Settings.Default.Security = "Insecure";
            MessageBox.Show("Incorrect!");
            myConn.Close();
        }
}
    catch (Exception ex)
    {
        MessageBox.Show("Something went wrong. Error copied to clipboard.");
        Clipboard.SetText(ex.Message);
    }
}

但是我的问题是，这对于MYSQL注入是否安全?如果没有，我该怎么做以确保安全?

But my question is if this is safe from MYSQL Injections? And if not, what can I do to make it safe?

如果可能，请编写或解释如何编写此代码.我对这种编码非常陌生，但确实喜欢它，并且希望继续进行我的程序.

And if possible, write or explain how to write this code. I'm quite new to this coding but really do love it and would like to proceed on my program.

推荐答案

该代码容易受到SQL注入的攻击，实际上，这是一个完美的示例-字符串连接和 SELECT * 将允许攻击者执行以下操作:输入例如 x'OR 1 = 1;#的密码，并检索 all 用户名和未加密的密码.即使是不必要的循环来计数结果，也会导致明显的延迟，这将告诉攻击者他已成功.

The code is vulnerable to SQL injection, in fact, it's a perfect example - string concatenation and SELECT * would allow an attacker to input eg, a password of x' OR 1=1;# and retrieve all usernames and unencrypted passwords. Even the unnecessary loop to count for results will cause a noticeable delay that will tell the attacker he has succeded.

以下代码虽然不是 NOT 验证密码的正确方法，但并不容易受到注入的影响.它仅用于演示目的.请注意，它不使用 SELECT * ，仅使用 SELECT count(*):

The following code isn't vulnerable to injection although it is NOT the proper way to authenticate passwords. It is for demonstration purposes only. Note that it doesn't useSELECT *, only a SELECT count(*):

//Reuse the same command with different connections
void InitializePlayerCmd()
{
    var query = "SELECT COUNT(*) FROM life.players where DBName=@name and DbPass=@pass";
    var myCmd= new MySqlCommand(query);
    myCmd.Parameters.Add("@name", SqlDbType.VarChar,30 );
    myCmd.Parameters.Add("@pass", SqlDbType.VarChar,200 );
    _playerCheckCmd=myCmd;
}

//.....
int CheckPlayer(string someUserName, string someAlreadyHashedString)
{
    var connectionString=Properties.Settings.Default.MyConnectionString;
    using(var myConn= new MySqlConnection(connectionString))
    {
        _playerCheckCmd.Connection=myConn;
        _playerCheckCmd.Parameters["@name"].Value=someUserName;
        _playerCheckCmd.Parameters["@pass"].Value=someAlreadyHashedString;
        myConn.Open();
        var result=_playerCheckCmd.ExecuteScalar();
        return result;
    }
}

这篇关于防止MYSQL注入?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！