SQL注入prevention与Microsoft Access和VB.NET [英] SQL Injection prevention with Microsoft Access and VB.NET
问题描述
我在ASP.NET初学者,所以我对如何prevent SQL注入在ASP.NET中的一些问题。我的编程语言是VB.NET,而不是C#和我使用Microsoft Access作为我的数据库。
我的问题是:
- 如何保护我的数据库从SQL注入?
- 我一直在阅读从其他论坛的帖子,他们说用
参数与存储过程使用动态SQL参数。可他们在一个Microsoft Access数据库来实现?
下面是一个使用的参数化查询的通过OleDb的VB.NET中的一个非常简单的ASP.NET例如:
Default.aspx的
<%@页标题=主页LANGUAGE =VB的MasterPageFile =〜/的Site.MasterAutoEventWireup =假
codeBehind =Default.aspx.vb继承=vbOleDbSite._Default%GT;< ASP:内容ID =HeaderContent=服务器ContentPlaceHolderID =HeadContent>
< / ASP:内容>
< ASP:内容ID =的BodyContent=服务器ContentPlaceHolderID =日程地址搜索Maincontent>
&所述p为H.;
名字:< ASP:文本框ID =名字=服务器>< / ASP:文本框>< BR />
姓:< ASP:文本框ID =姓氏=服务器>< / ASP:文本框>< BR />
&安培; NBSP;< BR />
< ASP:按钮的ID =btnAddUser=服务器文本=添加用户/>
&安培; NBSP;< BR />
状态:其中,跨度ID =spanStatus=服务器>等待提交...< / SPAN>
&所述; / P>
< / ASP:内容>
Default.aspx.vb
公共类_Default
继承System.Web.UI.Page 保护小组的Page_Load(BYVAL发件人为对象,BYVAL E上System.EventArgs)把手Me.Load 结束小组 保护小组btnAddUser_Click(发送者为对象,E作为EventArgs的)把手btnAddUser.Click
昏暗NEWID只要= 0
使用CON作为新OleDb.OleDbConnection
con.ConnectionString =供应商= Microsoft.ACE.OLEDB.12.0;数据源= C:\\ __ TMP \\ testData.accdb;
con.Open()
使用CMD作为新OleDb.OleDbCommand
cmd.Connection = CON
cmd.CommandText =INSERT INTO UsersTable(姓氏,名字)VALUES(?,?);
cmd.Parameters.AddWithValue(?,Me.LastName.Text)
cmd.Parameters.AddWithValue(?,Me.FirstName.Text)
cmd.ExecuteNonQuery()
使用完
使用CMD作为新OleDb.OleDbCommand
cmd.Connection = CON
cmd.CommandText =SELECT @@ IDENTITY
NEWID = cmd.ExecuteScalar()
使用完
con.Close()
使用完
Me.spanStatus.InnerText =用户,与& Me.FirstName.Text&安培; 与& Me.LastName.Text&安培; _
已被添加(编号:与& newID.ToString()及)。
结束小组
末级
注:
-
参数化查询使用?而不是为参数真正的名字,因为访问OLEDB忽略的参数名称。该参数的必须的的确切顺序,它们出现在
OleDbCommand.CommandText
。 定义 -
在[UsersTable]表中有一个
自动编号
主键和SELECT @@ IDENTITY
检索由INSERT INTO
语句创建新的键值。
I'm a beginner in ASP.NET so I have some questions about how to prevent SQL injection in ASP.NET. My programming language is VB.NET, not C#, and I'm using Microsoft Access as my database.
My questions are:
- How to protect my database from SQL injection?
- I have been reading postings from other forums and they said using parameters with stored procedures, parameters with dynamic SQL. Can they be implemented in a Microsoft Access database?
Here is a very simple ASP.NET example using a parameterized query via OleDb in VB.NET:
Default.aspx
<%@ Page Title="Home Page" Language="vb" MasterPageFile="~/Site.Master" AutoEventWireup="false"
CodeBehind="Default.aspx.vb" Inherits="vbOleDbSite._Default" %>
<asp:Content ID="HeaderContent" runat="server" ContentPlaceHolderID="HeadContent">
</asp:Content>
<asp:Content ID="BodyContent" runat="server" ContentPlaceHolderID="MainContent">
<p>
First Name: <asp:TextBox ID="FirstName" runat="server"></asp:TextBox><br />
Last Name: <asp:TextBox ID="LastName" runat="server"></asp:TextBox><br />
<br />
<asp:Button ID="btnAddUser" runat="server" Text="Add User" />
<br />
Status: <span id="spanStatus" runat="server">Awaiting submission...</span>
</p>
</asp:Content>
Default.aspx.vb
Public Class _Default
Inherits System.Web.UI.Page
Protected Sub Page_Load(ByVal sender As Object, ByVal e As System.EventArgs) Handles Me.Load
End Sub
Protected Sub btnAddUser_Click(sender As Object, e As EventArgs) Handles btnAddUser.Click
Dim newID As Long = 0
Using con As New OleDb.OleDbConnection
con.ConnectionString = "Provider=Microsoft.ACE.OLEDB.12.0;Data Source=C:\__tmp\testData.accdb;"
con.Open()
Using cmd As New OleDb.OleDbCommand
cmd.Connection = con
cmd.CommandText = "INSERT INTO UsersTable (LastName, FirstName) VALUES (?, ?);"
cmd.Parameters.AddWithValue("?", Me.LastName.Text)
cmd.Parameters.AddWithValue("?", Me.FirstName.Text)
cmd.ExecuteNonQuery()
End Using
Using cmd As New OleDb.OleDbCommand
cmd.Connection = con
cmd.CommandText = "SELECT @@IDENTITY"
newID = cmd.ExecuteScalar()
End Using
con.Close()
End Using
Me.spanStatus.InnerText = "User """ & Me.FirstName.Text & " " & Me.LastName.Text & _
""" has been added (ID: " & newID.ToString() & ")."
End Sub
End Class
Notes:
The parameterized query uses "?" instead of "real" names for the parameters because Access OLEDB ignores parameter names. The parameters must be defined in the exact order that they appear in the
OleDbCommand.CommandText
.The [UsersTable] table has an
AutoNumber
primary key, andSELECT @@IDENTITY
retrieves the new key value created by theINSERT INTO
statement.
这篇关于SQL注入prevention与Microsoft Access和VB.NET的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!