当SQL Server Compact Edition用作数据库时,如何防止在登录页面中注入SQL
How to prevent SQL injection in login page when SQL Server Compact Edition is used as a database
以下是我的旧代码之一。它使用 SQL CE
作为数据库。我想在这段代码中阻止 sql 注入。
为了防止 sql 注入,我需要参数化 sql 查询。
我不知道如何在代码中使用这些参数。
我该如何修改?
SqlCeConnection con = new SqlCeConnection();
sqlcon.ConnectionString = @"Data Source=dbLogin.sdf;
string query = "select * from [Login] where username = @user AND password = @pass";
SqlCeCommand myCMD = new SqlCeCommand();
myCMD.Connection = sqlcon;
myCMD.CommandText = query;
myCMD.Parameters.Add("@user", Username.Text);
myCMD.Parameters.Add("@pass", Password.Text);
SqlCeDataAdapter sda = new SqlCeDataAdapter(query, con);
DataTable dt = new DataTable();
sda.Fill(dt);
if (dtbl.Rows.Count == 1)
{
Main objMain = new Main();
this.Hide();
objMain.Show();
}
else
{
MessageBox.Show("Invalid Username or Password", "Access Denied", MessageBoxButtons.OK, MessageBoxIcon.Warning);
}
您必须将已定义并填充参数的命令传递给 SqlCeDataAdapter,您错过了这样做。
将您的代码更改为以下内容,
SqlCeConnection sqlcon = new SqlCeConnection();
sqlcon.ConnectionString = @"Data Source=dbLogin.sdf; password =rss900";
string query = "select * from [tblLogin] where username = @user AND password = @pass";
SqlCeCommand myCommand = new SqlCeCommand();
myCommand.Connection = sqlcon;
myCommand.CommandText = query;
myCommand.Parameters.Add("@user", txtUsername.Text);
myCommand.Parameters.Add("@pass", txtPassword.Text);
SqlCeDataAdapter sda = new SqlCeDataAdapter(myCommand);
DataTable dtbl = new DataTable();
sda.Fill(dtbl);
if (dtbl.Rows.Count == 1)
{
Main objfrmMain = new Main();
this.Hide();
objfrmMain.Show();
}
else
{
MessageBox.Show("Invalid Username or Password", "Access Denied", MessageBoxButtons.OK, MessageBoxIcon.Warning);
}
以下是我的旧代码之一。它使用 SQL CE
作为数据库。我想在这段代码中阻止 sql 注入。
为了防止 sql 注入,我需要参数化 sql 查询。
我不知道如何在代码中使用这些参数。
我该如何修改?
SqlCeConnection con = new SqlCeConnection();
sqlcon.ConnectionString = @"Data Source=dbLogin.sdf;
string query = "select * from [Login] where username = @user AND password = @pass";
SqlCeCommand myCMD = new SqlCeCommand();
myCMD.Connection = sqlcon;
myCMD.CommandText = query;
myCMD.Parameters.Add("@user", Username.Text);
myCMD.Parameters.Add("@pass", Password.Text);
SqlCeDataAdapter sda = new SqlCeDataAdapter(query, con);
DataTable dt = new DataTable();
sda.Fill(dt);
if (dtbl.Rows.Count == 1)
{
Main objMain = new Main();
this.Hide();
objMain.Show();
}
else
{
MessageBox.Show("Invalid Username or Password", "Access Denied", MessageBoxButtons.OK, MessageBoxIcon.Warning);
}
您必须将已定义并填充参数的命令传递给 SqlCeDataAdapter,您错过了这样做。
将您的代码更改为以下内容,
SqlCeConnection sqlcon = new SqlCeConnection();
sqlcon.ConnectionString = @"Data Source=dbLogin.sdf; password =rss900";
string query = "select * from [tblLogin] where username = @user AND password = @pass";
SqlCeCommand myCommand = new SqlCeCommand();
myCommand.Connection = sqlcon;
myCommand.CommandText = query;
myCommand.Parameters.Add("@user", txtUsername.Text);
myCommand.Parameters.Add("@pass", txtPassword.Text);
SqlCeDataAdapter sda = new SqlCeDataAdapter(myCommand);
DataTable dtbl = new DataTable();
sda.Fill(dtbl);
if (dtbl.Rows.Count == 1)
{
Main objfrmMain = new Main();
this.Hide();
objfrmMain.Show();
}
else
{
MessageBox.Show("Invalid Username or Password", "Access Denied", MessageBoxButtons.OK, MessageBoxIcon.Warning);
}