SQL注入prevention与Microsoft Access和VB.NET [英] SQL Injection prevention with Microsoft Access and VB.NET

问题描述

我在ASP.NET初学者，所以我对如何prevent SQL注入在ASP.NET中的一些问题。我的编程语言是VB.NET，而不是C＃和我使用Microsoft Access作为我的数据库。

我的问题是：

1. 如何保护我的数据库从SQL注入？


2. 我一直在阅读从其他论坛的帖子，他们说用
   参数与存储过程使用动态SQL参数。可他们在一个Microsoft Access数据库来实现？

解决方案

下面是一个使用的参数化查询的通过OleDb的VB.NET中的一个非常简单的ASP.NET例如：

Default.aspx的

 ＆LT;％@页标题=主页LANGUAGE =VB的MasterPageFile =〜/的Site.MasterAutoEventWireup =假
    codeBehind =Default.aspx.vb继承=vbOleDbSite._Default％GT;＆LT; ASP：内容ID =HeaderContent=服务器ContentPlaceHolderID =HeadContent＆GT;
＆LT; / ASP：内容＆GT;
＆LT; ASP：内容ID =的BodyContent=服务器ContentPlaceHolderID =日程地址搜索Maincontent＆GT;
    ＆所述p为H.;
        名字：＆LT; ASP：文本框ID =名字=服务器＆GT;＆LT; / ASP：文本框＆GT;＆LT; BR /＆GT;
        姓：＆LT; ASP：文本框ID =姓氏=服务器＆GT;＆LT; / ASP：文本框＆GT;＆LT; BR /＆GT;
        ＆安培; NBSP;＆LT; BR /＆GT;
        ＆LT; ASP：按钮的ID =btnAddUser=服务器文本=添加用户/＆GT;
        ＆安培; NBSP;＆LT; BR /＆GT;
        状态：其中，跨度ID =spanStatus=服务器＆GT;等待提交...＆LT; / SPAN＆GT;
    ＆所述; / P＆GT;
＆LT; / ASP：内容＆GT;
 

Default.aspx.vb

 公共类_Default
    继承System.Web.UI.Page    保护小组的Page_Load（BYVAL发件人为对象，BYVAL E上System.EventArgs）把手Me.Load    结束小组    保护小组btnAddUser_Click（发送者为对象，E作为EventArgs的）把手btnAddUser.Click
        昏暗NEWID只要= 0
        使用CON作为新OleDb.OleDbConnection
            con.ConnectionString =供应商= Microsoft.ACE.OLEDB.12.0;数据源= C：\\ __ TMP \\ testData.accdb;
            con.Open（）
            使用CMD作为新OleDb.OleDbCommand
                cmd.Connection = CON
                cmd.CommandText =INSERT INTO UsersTable（姓氏，名字）VALUES（？，？）;
                cmd.Parameters.AddWithValue（？，Me.LastName.Text）
                cmd.Parameters.AddWithValue（？，Me.FirstName.Text）
                cmd.ExecuteNonQuery（）
            使用完
            使用CMD作为新OleDb.OleDbCommand
                cmd.Connection = CON
                cmd.CommandText =SELECT @@ IDENTITY
                NEWID = cmd.ExecuteScalar（）
            使用完
            con.Close（）
        使用完
        Me.spanStatus.InnerText =用户，与＆amp; Me.FirstName.Text＆安培; 与＆amp; Me.LastName.Text＆安培; _
                已被添加（编号：与＆amp; newID.ToString（）及）。
    结束小组
末级
 

注：

• 参数化查询使用？而不是为参数真正的名字，因为访问OLEDB忽略的参数名称。该参数的必须的的确切顺序，它们出现在 OleDbCommand.CommandText 。

定义


• 在[UsersTable]表中有一个自动编号主键和 SELECT @@ IDENTITY 检索由 INSERT INTO 语句创建新的键值。

I'm a beginner in ASP.NET so I have some questions about how to prevent SQL injection in ASP.NET. My programming language is VB.NET, not C#, and I'm using Microsoft Access as my database.

My questions are:

1. How to protect my database from SQL injection?
2. I have been reading postings from other forums and they said using parameters with stored procedures, parameters with dynamic SQL. Can they be implemented in a Microsoft Access database?

解决方案

Here is a very simple ASP.NET example using a parameterized query via OleDb in VB.NET:

Default.aspx

<%@ Page Title="Home Page" Language="vb" MasterPageFile="~/Site.Master" AutoEventWireup="false"
    CodeBehind="Default.aspx.vb" Inherits="vbOleDbSite._Default" %>

<asp:Content ID="HeaderContent" runat="server" ContentPlaceHolderID="HeadContent">
</asp:Content>
<asp:Content ID="BodyContent" runat="server" ContentPlaceHolderID="MainContent">
    <p>
        First Name: <asp:TextBox ID="FirstName" runat="server"></asp:TextBox><br />
        Last Name: <asp:TextBox ID="LastName" runat="server"></asp:TextBox><br />
        &nbsp;<br />
        <asp:Button ID="btnAddUser" runat="server" Text="Add User" />
        &nbsp;<br />
        Status: <span id="spanStatus" runat="server">Awaiting submission...</span>
    </p>
</asp:Content>

Default.aspx.vb

Public Class _Default
    Inherits System.Web.UI.Page

    Protected Sub Page_Load(ByVal sender As Object, ByVal e As System.EventArgs) Handles Me.Load

    End Sub

    Protected Sub btnAddUser_Click(sender As Object, e As EventArgs) Handles btnAddUser.Click
        Dim newID As Long = 0
        Using con As New OleDb.OleDbConnection
            con.ConnectionString = "Provider=Microsoft.ACE.OLEDB.12.0;Data Source=C:\__tmp\testData.accdb;"
            con.Open()
            Using cmd As New OleDb.OleDbCommand
                cmd.Connection = con
                cmd.CommandText = "INSERT INTO UsersTable (LastName, FirstName) VALUES (?, ?);"
                cmd.Parameters.AddWithValue("?", Me.LastName.Text)
                cmd.Parameters.AddWithValue("?", Me.FirstName.Text)
                cmd.ExecuteNonQuery()
            End Using
            Using cmd As New OleDb.OleDbCommand
                cmd.Connection = con
                cmd.CommandText = "SELECT @@IDENTITY"
                newID = cmd.ExecuteScalar()
            End Using
            con.Close()
        End Using
        Me.spanStatus.InnerText = "User """ & Me.FirstName.Text & " " & Me.LastName.Text & _
                """ has been added (ID: " & newID.ToString() & ")."
    End Sub
End Class

Notes:

• The parameterized query uses "?" instead of "real" names for the parameters because Access OLEDB ignores parameter names. The parameters must be defined in the exact order that they appear in the OleDbCommand.CommandText.

• The [UsersTable] table has an AutoNumber primary key, and SELECT @@IDENTITY retrieves the new key value created by the INSERT INTO statement.

这篇关于SQL注入prevention与Microsoft Access和VB.NET的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！