ASP.NET 登录控制 - 使用 Authenticate 事件保护 SQLi? [英] ASP.NET Login Control - protect from SQLi with Authenticate event?
问题描述
我有一个关于 ASP.NET 登录控件的快速问题.
I have a quick question about the ASP.NET Login control.
我知道它可以防止 SQL 注入,但我想知道当我使用身份验证"子(用于自定义身份验证方法)时它是否也可以提供保护?
I understand that it protects from SQL Injection, but I was wondering if it also protects when I use the "Authenticate" Sub (for a custom authenticate method)?
我可以继续在 SQL 语句中使用用户名"和密码"而不将它们编码为参数吗?干杯.
Can I go ahead and use 'username' and 'password' in an SQL statement without coding them as parameters? Cheers.
推荐答案
SELECT * FROM aspnet_Membership AS A INNER JOIN aspnet_Users AS B ONA.UserId = B.UserId WHERE B.UserName = '" & Login1.UserName & "' ANDA.Password = '" & Login1.Password & "';"
SELECT * FROM aspnet_Membership AS A INNER JOIN aspnet_Users AS B ON A.UserId = B.UserId WHERE B.UserName = '" & Login1.UserName & "' AND A.Password = '" & Login1.Password & "';"
以上的 SQL 语句是不安全的.它容易受到 SQL 注入攻击.您想使用参数化查询.
Above SQL Statement is not safe. It is prone to SQL Injection attack. You want to use parameterized query.
例如,
SELECT *
FROM aspnet_Membership AS A INNER JOIN aspnet_Users AS B
ON A.UserId = B.UserId
WHERE B.UserName = @UserName AND A.Password = @Password
这篇关于ASP.NET 登录控制 - 使用 Authenticate 事件保护 SQLi?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!