如何使用 vb.net 防止 MySQL 数据库注入攻击?
How do I prevent MySQL Database Injection Attacks using vb.net?
我在 Visual Basic 2010 中使用 vb.net 并使用查询从应用程序 (WinForms) 编辑我的在线 MySQL 数据库。
这是一个将新用户插入数据库的示例:
MySQLCon.Open()
Dim SQLADD As String = "INSERT INTO members(member,gamertag,role) VALUES('" & memberToAdd.Text & "','" & membersGamertag.Text & "','" & membersRole.Text & "')"
COMMAND = New MySqlCommand(SQLADD, MySQLCon)
READER = COMMAND.ExecuteReader
memberToAdd.Text = ""
membersGamertag.Text = ""
membersRole.Text = ""
MySQLCon.Close()
MySQLCon.Dispose()
如何防止MySQL数据库注入攻击?
---------------------------------------- --------------------------------------
Is this Parameterized way also ideal for these sets of code?
Set 1:
Dim SQLReq As String = "UPDATE members SET req= '" & request & "' WHERE member= '" & My.Settings.username & "'"
submitRequest(SQLReq)
Set 2
MySQLCon.Open()
Dim SQLID As String = "SELECT * FROM members WHERE member='" & My.Settings.username & "'"
COMMAND = New MySqlCommand(SQLID, MySQLCon)
READER = COMMAND.ExecuteReader()
While READER.Read
xboxGamertag.Value2 = READER.GetString("gamertag")
vagueRole.Value2 = READER.GetString("role")
vagueID.Value2 = READER.GetInt32("id")
End While
MySQLCon.Close()
MySQLCon.Dispose()
Set 3
MySQLCon.Open()
Dim Query As String
Query = "SELECT member FROM members"
command = New MySqlCommand(Query, MySQLCon)
SDA.SelectCommand = command
SDA.Fill(dbDataSet)
bSource.DataSource = dbDataSet
vagueMembers.DataSource = bSource
SDA.Update(dbDataSet)
MySQLCon.Close()
MySQLCon.Dispose()
This is an edit for @Fred
Set 1 is now:
MySQLCon.Open()
Dim SQLADD As String = "UPDATE members SET req= @request WHERE member= @memberName"
COMMAND = New MySqlCommand(SQLADD, MySQLCon)
COMMAND.Parameters.AddWithValue("@request", request)
COMMAND.Parameters.AddWithValue("@memberName", My.Settings.username)
COMMAND.ExecuteNonQuery()
MySQLCon.Close()
MySQLCon.Dispose()
Set 2 is now:
MySQLCon.Open()
Dim SQLID As String = "SELECT * FROM members WHERE member= @member"
COMMAND = New MySqlCommand(SQLID, MySQLCon)
COMMAND.Parameters.AddWithValue("@member", My.Settings.username)
COMMAND.ExecuteNonQuery()
READER = COMMAND.ExecuteReader()
While READER.Read
xboxGamertag.Value2 = READER.GetString("gamertag")
vagueRole.Value2 = READER.GetString("role")
vagueID.Value2 = READER.GetInt32("id")
End While
MySQLCon.Close()
MySQLCon.Dispose()
Set 3 is now:
Same as usual cause you said it should be fine.
这些正确吗?免于注射?
而不是像这样连接您的 SQL 语句:
Dim SQLADD As String = "INSERT INTO members(member,gamertag,role) VALUES('" & memberToAdd.Text & "','" & membersGamertag.Text & "','" & membersRole.Text & "')"
您可以像这样使用不带任何引号的 @ 前缀来指定每个参数:
Dim SQLADD As String = "INSERT INTO members(member,gamertag,role) VALUES(@member, @gamertag, @role)"
然后使用数据库中数据类型的正确变量类型为每个参数指定值:
command.Parameters.AddWithValue("@member", member)
command.Parameters.AddWithValue("@gamertag", gamertag)
command.Parameters.AddWithValue("@role", role)
您的示例编辑不是参数化查询。永远不要将 SQL 字符串与变量连接起来。
MySQLCon.Open()
Dim SQLADD As String = "INSERT INTO members(member,gamertag,role) VALUES(@memberToAdd, @memberGamingTag, @memberRole)"
COMMAND = New MySqlCommand(SQLADD, MySQLCon)
COMMAND.Parameters.AddWithValue("@memberToAdd", memberToAdd.Text)
COMMAND.Parameters.AddWithValue("@memberGamingTag", membersGamertag.Text)
COMMAND.Parameters.AddWithValue("@memberRole", membersRole.Text)
COMMAND.ExecuteNonQuery()
memberToAdd.Text = ""
membersGamertag.Text = ""
membersRole.Text = ""
MySQLCon.Close()
MySQLCon.Dispose()
您不需要使用 COMMAND.ExecuteReader,因为您没有检索数据。
你永远不应该像这样构建你的查询:
UPDATE members SET req= '" & request & "' WHERE member= '" & My.Settings.username & "'"
SQL Injection 不可用,您应该像我在上面的示例中那样参数化您的查询。这适用于任何查询 INSERT、UPDATE、SELECT
您应该将插入查询放在存储过程中。
conn.Open();
cmd.Connection = conn;
cmd.CommandText = "add_mem";
cmd.CommandType = CommandType.StoredProcedure;
cmd.Parameters.AddWithValue("@member", "Jones");
cmd.Parameters["@lname"].Direction = ParameterDirection.Input;
cmd.Parameters.AddWithValue("@gamertag", "Tom");
cmd.Parameters["@fname"].Direction = ParameterDirection.Input;
cmd.Parameters.AddWithValue("@role", "1940-06-07");
cmd.Parameters["@bday"].Direction = ParameterDirection.Input;
cmd.Parameters["@empno"].Direction = ParameterDirection.Output;
cmd.ExecuteNonQuery();
我在 Visual Basic 2010 中使用 vb.net 并使用查询从应用程序 (WinForms) 编辑我的在线 MySQL 数据库。
这是一个将新用户插入数据库的示例:
MySQLCon.Open()
Dim SQLADD As String = "INSERT INTO members(member,gamertag,role) VALUES('" & memberToAdd.Text & "','" & membersGamertag.Text & "','" & membersRole.Text & "')"
COMMAND = New MySqlCommand(SQLADD, MySQLCon)
READER = COMMAND.ExecuteReader
memberToAdd.Text = ""
membersGamertag.Text = ""
membersRole.Text = ""
MySQLCon.Close()
MySQLCon.Dispose()
如何防止MySQL数据库注入攻击?
---------------------------------------- --------------------------------------
Is this Parameterized way also ideal for these sets of code?
Set 1:
Dim SQLReq As String = "UPDATE members SET req= '" & request & "' WHERE member= '" & My.Settings.username & "'"
submitRequest(SQLReq)
Set 2
MySQLCon.Open()
Dim SQLID As String = "SELECT * FROM members WHERE member='" & My.Settings.username & "'"
COMMAND = New MySqlCommand(SQLID, MySQLCon)
READER = COMMAND.ExecuteReader()
While READER.Read
xboxGamertag.Value2 = READER.GetString("gamertag")
vagueRole.Value2 = READER.GetString("role")
vagueID.Value2 = READER.GetInt32("id")
End While
MySQLCon.Close()
MySQLCon.Dispose()
Set 3
MySQLCon.Open()
Dim Query As String
Query = "SELECT member FROM members"
command = New MySqlCommand(Query, MySQLCon)
SDA.SelectCommand = command
SDA.Fill(dbDataSet)
bSource.DataSource = dbDataSet
vagueMembers.DataSource = bSource
SDA.Update(dbDataSet)
MySQLCon.Close()
MySQLCon.Dispose()
This is an edit for @Fred
Set 1 is now:
MySQLCon.Open()
Dim SQLADD As String = "UPDATE members SET req= @request WHERE member= @memberName"
COMMAND = New MySqlCommand(SQLADD, MySQLCon)
COMMAND.Parameters.AddWithValue("@request", request)
COMMAND.Parameters.AddWithValue("@memberName", My.Settings.username)
COMMAND.ExecuteNonQuery()
MySQLCon.Close()
MySQLCon.Dispose()
Set 2 is now:
MySQLCon.Open()
Dim SQLID As String = "SELECT * FROM members WHERE member= @member"
COMMAND = New MySqlCommand(SQLID, MySQLCon)
COMMAND.Parameters.AddWithValue("@member", My.Settings.username)
COMMAND.ExecuteNonQuery()
READER = COMMAND.ExecuteReader()
While READER.Read
xboxGamertag.Value2 = READER.GetString("gamertag")
vagueRole.Value2 = READER.GetString("role")
vagueID.Value2 = READER.GetInt32("id")
End While
MySQLCon.Close()
MySQLCon.Dispose()
Set 3 is now:
Same as usual cause you said it should be fine.
这些正确吗?免于注射?
而不是像这样连接您的 SQL 语句:
Dim SQLADD As String = "INSERT INTO members(member,gamertag,role) VALUES('" & memberToAdd.Text & "','" & membersGamertag.Text & "','" & membersRole.Text & "')"
您可以像这样使用不带任何引号的 @ 前缀来指定每个参数:
Dim SQLADD As String = "INSERT INTO members(member,gamertag,role) VALUES(@member, @gamertag, @role)"
然后使用数据库中数据类型的正确变量类型为每个参数指定值:
command.Parameters.AddWithValue("@member", member)
command.Parameters.AddWithValue("@gamertag", gamertag)
command.Parameters.AddWithValue("@role", role)
您的示例编辑不是参数化查询。永远不要将 SQL 字符串与变量连接起来。
MySQLCon.Open()
Dim SQLADD As String = "INSERT INTO members(member,gamertag,role) VALUES(@memberToAdd, @memberGamingTag, @memberRole)"
COMMAND = New MySqlCommand(SQLADD, MySQLCon)
COMMAND.Parameters.AddWithValue("@memberToAdd", memberToAdd.Text)
COMMAND.Parameters.AddWithValue("@memberGamingTag", membersGamertag.Text)
COMMAND.Parameters.AddWithValue("@memberRole", membersRole.Text)
COMMAND.ExecuteNonQuery()
memberToAdd.Text = ""
membersGamertag.Text = ""
membersRole.Text = ""
MySQLCon.Close()
MySQLCon.Dispose()
您不需要使用 COMMAND.ExecuteReader,因为您没有检索数据。
你永远不应该像这样构建你的查询:
UPDATE members SET req= '" & request & "' WHERE member= '" & My.Settings.username & "'"
SQL Injection 不可用,您应该像我在上面的示例中那样参数化您的查询。这适用于任何查询 INSERT、UPDATE、SELECT
您应该将插入查询放在存储过程中。
conn.Open();
cmd.Connection = conn;
cmd.CommandText = "add_mem";
cmd.CommandType = CommandType.StoredProcedure;
cmd.Parameters.AddWithValue("@member", "Jones");
cmd.Parameters["@lname"].Direction = ParameterDirection.Input;
cmd.Parameters.AddWithValue("@gamertag", "Tom");
cmd.Parameters["@fname"].Direction = ParameterDirection.Input;
cmd.Parameters.AddWithValue("@role", "1940-06-07");
cmd.Parameters["@bday"].Direction = ParameterDirection.Input;
cmd.Parameters["@empno"].Direction = ParameterDirection.Output;
cmd.ExecuteNonQuery();