您的位置：首页 > 职场人生

黑马程序员--ADO.NET学习之SQL注入漏洞攻击

2012-05-16 19:28 429 查看

---------------------- Windows Phone 7手机开发、.Net培训、期待与您交流！ ----------------------

登录判断：select * from T_Users where UserName=... and

Password=...，将参数拼到SQL语句中。

Console.WriteLine("请输入用户名！");
string userName = Console.ReadLine ();
Console.WriteLine("请输入密码！");
string pass = Console.ReadLine();
string str = "Data Source=B048;Initial Catalog=Text;Integrated Security=True";
using (SqlConnection conn = new SqlConnection(str))
{
conn.Open();
using (SqlCommand cmd = conn.CreateCommand())
{
cmd.CommandText = "select count(*) from Person where Name ='" + userName+ "' and Password = '"+pass+"'";
int i = Convert.Toint32(cmd.ExecuteScalar());
if(i>0)
{
Console.WriteLine("登陆成功！");
}
else
{
Console.WriteLine("用户名或密码错误，登陆失败！");
}
}
}
Console.WriteLine("OK");
Console.ReadLine();

注：上述程序有漏洞，则（用户名可随意输入，密码：1'or '1' = '1 则可成功登陆）。

避免漏洞输入代码：

Console.WriteLine("请输入用户名！");
string userName = Console.ReadLine ();
Console.WriteLine("请输入密码！");
string pass = Console.ReadLine();
string str = "Data Source=(local);Initial Catalog=Text;Integrated Security=True";
using (SqlConnection conn = new SqlConnection(str))
{
conn.Open();
using (SqlCommand cmd = conn.CreateCommand())
{
cmd.CommandText = "select * from Person where Name = @userName and Password = @pass";
cmd.Parameters.Add(new sqlParameter("userName",userName));
cmd.Parameters.Add(new sqlParameter("pass",pass));
int i = Convert.Toint32(cmd.ExecuteScalar());
if(i>0)
{
Console.WriteLine("登陆成功！");
}
else
{
Console.WriteLine("用户名或密码错误，登陆失败！");
}
}
}
Console.WriteLine("OK");
Console.ReadLine();

---------------------- Windows Phone 7手机开发、.Net培训、期待与您交流！ ----------------------
详细请查看：http://net.itheima.com/

内容来自用户分享和网络整理，不保证内容的准确性，如有侵权内容，可联系管理员处理

标签： sql windows phone string security .net cmd

相关文章推荐

新的分享

章节导航