ASP.NET 登录控制 - 使用 Authenticate 事件保护 SQLi? [英] ASP.NET Login Control - protect from SQLi with Authenticate event?

问题描述

我有一个关于 ASP.NET 登录控件的快速问题.

I have a quick question about the ASP.NET Login control.

我知道它可以防止 SQL 注入，但我想知道当我使用身份验证"子(用于自定义身份验证方法)时它是否也可以提供保护?

I understand that it protects from SQL Injection, but I was wondering if it also protects when I use the "Authenticate" Sub (for a custom authenticate method)?

我可以继续在 SQL 语句中使用用户名"和密码"而不将它们编码为参数吗?干杯.

Can I go ahead and use 'username' and 'password' in an SQL statement without coding them as parameters? Cheers.

推荐答案

SELECT * FROM aspnet_Membership AS A INNER JOIN aspnet_Users AS B ONA.UserId = B.UserId WHERE B.UserName = '" & Login1.UserName & "' ANDA.Password = '" & Login1.Password & "';"

SELECT * FROM aspnet_Membership AS A INNER JOIN aspnet_Users AS B ON A.UserId = B.UserId WHERE B.UserName = '" & Login1.UserName & "' AND A.Password = '" & Login1.Password & "';"

以上的 SQL 语句是不安全的.它容易受到 SQL 注入攻击.您想使用参数化查询.

Above SQL Statement is not safe. It is prone to SQL Injection attack. You want to use parameterized query.

例如，

SELECT * 
FROM aspnet_Membership AS A INNER JOIN aspnet_Users AS B 
     ON A.UserId = B.UserId 
WHERE B.UserName = @UserName AND A.Password = @Password

这篇关于ASP.NET 登录控制 - 使用 Authenticate 事件保护 SQLi?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！