我如何prevent MySQL数据库注入攻击利用vb.net? [英] How do I prevent MySQL Database Injection Attacks using vb.net?
问题描述
我用vb.net在Visual Basic 2010和使用查询从应用程序(的WinForms)编辑我的在线MySQL数据库。
下面是一个示例插入一个新的用户到数据库:
MySQLCon.Open()
昏暗SQLADD作为字符串=INSERT INTO成员(成员,玩家代号,角色)VALUES('&放大器; memberToAdd.Text和放大器;,&放大器; membersGamertag.Text和放大器;,&放大器; membersRole.Text和放大器;')
COMMAND =新的MySqlCommand(SQLADD,MySQLCon)
读者= Command.ExecuteReader却
memberToAdd.Text =
membersGamertag.Text =
membersRole.Text =
MySQLCon.Close()
MySQLCon.Dispose()
如何prevent MySQL数据库注入攻击?
--------------------------------------------------------------------------------
这是参数化的方式也非常适合这些套code?
套装1:
昏暗SQLReq的String =UPDATE成员SET REQ ='&放大器;要求和放大器; 'WHERE成员='&放大器; My.Settings.username和放大器; '
submitRequest(SQLReq)
设置2
MySQLCon.Open()
昏暗SQLID作为字符串=SELECT * FROM会员,会员='&放大器; My.Settings.username和放大器; '
COMMAND =新的MySqlCommand(SQLID,MySQLCon)
读者= Command.ExecuteReader却()
虽然READER.Read
xboxGamertag.Value2 = READER.GetString(玩家代号)
vagueRole.Value2 = READER.GetString(角色)
vagueID.Value2 = READER.GetInt32(ID)
结束在
MySQLCon.Close()
MySQLCon.Dispose()
设置3
MySQLCon.Open()
昏暗查询作为字符串
查询=选择成员来自会员
命令=新的MySqlCommand(查询,MySQLCon)
SDA.SelectCommand =命令
SDA.Fill(dbDataSet)
bSource.DataSource = dbDataSet
vagueMembers.DataSource = bSource
SDA.Update(dbDataSet)
MySQLCon.Close()
MySQLCon.Dispose()
这是一个编辑的@Fred
设置1现:
MySQLCon.Open()
昏暗SQLADD作为字符串=UPDATE成员SET REQ = @request,会员= @MemberName
COMMAND =新的MySqlCommand(SQLADD,MySQLCon)
COMMAND.Parameters.AddWithValue(@请求,请求)
COMMAND.Parameters.AddWithValue(@成员名,My.Settings.username)
COMMAND.ExecuteNonQuery()
MySQLCon.Close()
MySQLCon.Dispose()
设置2现:
MySQLCon.Open()
昏暗SQLID作为字符串=SELECT * FROM会员,会员= @member
COMMAND =新的MySqlCommand(SQLID,MySQLCon)
COMMAND.Parameters.AddWithValue(@成员,My.Settings.username)
COMMAND.ExecuteNonQuery()
读者= Command.ExecuteReader却()
虽然READER.Read
xboxGamertag.Value2 = READER.GetString(玩家代号)
vagueRole.Value2 = READER.GetString(角色)
vagueID.Value2 = READER.GetInt32(ID)
结束在
MySQLCon.Close()
MySQLCon.Dispose()
设置3现:
同往常一样,因为你说应该没事。
这些是正确的吗?从注射保护?
MySQLCon.Open()
昏暗SQLADD作为字符串=INSERT INTO成员(成员,玩家代号,角色)VALUES(@memberToAdd,@memberGamingTag,@memberRole)
COMMAND =新的MySqlCommand(SQLADD,MySQLCon)
COMMAND.Parameters.AddWithValue(@ memberToAdd,memberToAdd.Text)
COMMAND.Parameters.AddWithValue(@ memberGamingTag,membersGamertag.Text)
COMMAND.Parameters.AddWithValue(@ memberRole,membersRole.Text)
COMMAND.ExecuteNonQuery()
memberToAdd.Text =
membersGamertag.Text =
membersRole.Text =
MySQLCon.Close()
MySQLCon.Dispose()
您不需要使用 Command.ExecuteReader却
你不是检索数据。
您永远不应该建立自己的疑问是这样的:
更新成员SET REQ ='&放大器;请求和放大器;'WHERE成员='&放大器; My.Settings.username和放大器;
这是vunerable来 SQL注入,你应该参数化查询,因为我在上面的例子中。这适用于任何查询,无论是插入
,更新
, SELECT
I am using vb.net in Visual Basic 2010 and using Query to edit my Online MySQL Database from the application (WinForms).
Here is a sample to insert a new user into the database:
MySQLCon.Open()
Dim SQLADD As String = "INSERT INTO members(member,gamertag,role) VALUES('" & memberToAdd.Text & "','" & membersGamertag.Text & "','" & membersRole.Text & "')"
COMMAND = New MySqlCommand(SQLADD, MySQLCon)
READER = COMMAND.ExecuteReader
memberToAdd.Text = ""
membersGamertag.Text = ""
membersRole.Text = ""
MySQLCon.Close()
MySQLCon.Dispose()
How to Prevent MySQL Database Injection Attacks?
--------------------------------------------------------------------------------
Is this Parameterized way also ideal for these sets of code?
Set 1:
Dim SQLReq As String = "UPDATE members SET req= '" & request & "' WHERE member= '" & My.Settings.username & "'"
submitRequest(SQLReq)
Set 2
MySQLCon.Open()
Dim SQLID As String = "SELECT * FROM members WHERE member='" & My.Settings.username & "'"
COMMAND = New MySqlCommand(SQLID, MySQLCon)
READER = COMMAND.ExecuteReader()
While READER.Read
xboxGamertag.Value2 = READER.GetString("gamertag")
vagueRole.Value2 = READER.GetString("role")
vagueID.Value2 = READER.GetInt32("id")
End While
MySQLCon.Close()
MySQLCon.Dispose()
Set 3
MySQLCon.Open()
Dim Query As String
Query = "SELECT member FROM members"
command = New MySqlCommand(Query, MySQLCon)
SDA.SelectCommand = command
SDA.Fill(dbDataSet)
bSource.DataSource = dbDataSet
vagueMembers.DataSource = bSource
SDA.Update(dbDataSet)
MySQLCon.Close()
MySQLCon.Dispose()
This is an edit for @Fred
Set 1 is now:
MySQLCon.Open()
Dim SQLADD As String = "UPDATE members SET req= @request WHERE member= @memberName"
COMMAND = New MySqlCommand(SQLADD, MySQLCon)
COMMAND.Parameters.AddWithValue("@request", request)
COMMAND.Parameters.AddWithValue("@memberName", My.Settings.username)
COMMAND.ExecuteNonQuery()
MySQLCon.Close()
MySQLCon.Dispose()
Set 2 is now:
MySQLCon.Open()
Dim SQLID As String = "SELECT * FROM members WHERE member= @member"
COMMAND = New MySqlCommand(SQLID, MySQLCon)
COMMAND.Parameters.AddWithValue("@member", My.Settings.username)
COMMAND.ExecuteNonQuery()
READER = COMMAND.ExecuteReader()
While READER.Read
xboxGamertag.Value2 = READER.GetString("gamertag")
vagueRole.Value2 = READER.GetString("role")
vagueID.Value2 = READER.GetInt32("id")
End While
MySQLCon.Close()
MySQLCon.Dispose()
Set 3 is now:
Same as usual cause you said it should be fine.
Are these correct? Protected from Injections?
MySQLCon.Open()
Dim SQLADD As String = "INSERT INTO members(member,gamertag,role) VALUES(@memberToAdd, @memberGamingTag, @memberRole)"
COMMAND = New MySqlCommand(SQLADD, MySQLCon)
COMMAND.Parameters.AddWithValue("@memberToAdd", memberToAdd.Text)
COMMAND.Parameters.AddWithValue("@memberGamingTag", membersGamertag.Text)
COMMAND.Parameters.AddWithValue("@memberRole", membersRole.Text)
COMMAND.ExecuteNonQuery()
memberToAdd.Text = ""
membersGamertag.Text = ""
membersRole.Text = ""
MySQLCon.Close()
MySQLCon.Dispose()
You don't need to use COMMAND.ExecuteReader
as you are not retrieving data.
You should never build your queries like this:
UPDATE members SET req= '" & request & "' WHERE member= '" & My.Settings.username & "'"
It is vunerable to SQL Injection, you should parameterize your queries as I have in the example above. This applies to any query be it INSERT
, UPDATE
, SELECT
这篇关于我如何prevent MySQL数据库注入攻击利用vb.net?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!