OleDB / MySQL 参数添加
OleDB / MySQL Parameter Adding
我对向命令(MySQL 或 OleDB,我目前同时使用两者)添加参数以避免 SQL 注入有疑问。
这个硬编码查询工作得很好,除了开放的注入漏洞;
var queryString = string.Format("SELECT COUNT(*) FROM employs WHERE em_netname = '"+username+"' AND em_password = '"+password+"'");
但是,在修改查询以便我添加参数而不是让漏洞处于打开状态之后,它不起作用。我就是这样做的;
var queryString = string.Format("SELECT COUNT(*) FROM employs WHERE em_netname = @username AND em_password = @password");
OleDbCommand dbfQuery = new OleDbCommand(queryString, dbfCon);
dbfQuery.Parameters.Add("@username", OleDbType.Char).Value = username;
dbfQuery.Parameters.Add("@password", OleDbType.Char).Value = password;
有人可以解释一下为什么这不起作用吗?第一个查询 returns 1 from count,第二个查询 returns 0(它应该 return 1)。
编辑:为了清楚起见,"doesn't work" 我的意思是第一个语句 return 的列数为 1,即有一个用户,查询确实有效。第二个语句,输入的用户名和密码完全相同 returns a 0,即虽然用户名和密码组合确实存在(由第一个语句证明),但查询无法正常工作。
编辑 2:已发布整个 class 代码;
public static bool AuthenticateUser(string username, string password)
{
var constr = ConfigurationManager.ConnectionStrings["dbfString"].ConnectionString;
using (OleDbConnection dbfCon = new OleDbConnection(constr))
{
try
{
dbfCon.Open();
var queryString = string.Format("SELECT COUNT(*) FROM employs WHERE em_netname = @username AND em_password = @password");
OleDbCommand dbfQuery = new OleDbCommand(queryString, dbfCon);
dbfQuery.Parameters.Add("@username", OleDbType.Char).Value = username;
dbfQuery.Parameters.Add("@password", OleDbType.Char).Value = password;
MessageBox.Show("Query: " + queryString);
int numOfColumns = Convert.ToInt32(dbfQuery.ExecuteScalar());
MessageBox.Show(numOfColumns.ToString());
if (numOfColumns == 1)
{
return true;
}
else
{
return false;
}
}
catch (OleDbException)
{
throw;
}
}
}
根据 MSDN,OleDbCommand 不支持命名参数。尝试改用 ?。
The OLE DB .NET Provider does not support named parameters for passing parameters to an SQL statement or a stored procedure called by an OleDbCommand when CommandType is set to Text. In this case, the question mark (?) placeholder must be used. For example:
SELECT * FROM Customers WHERE CustomerID = ?
Therefore, the order in which OleDbParameter objects are added to the OleDbParameterCollection must directly correspond to the position of the question mark placeholder for the parameter in the command text.
我对向命令(MySQL 或 OleDB,我目前同时使用两者)添加参数以避免 SQL 注入有疑问。
这个硬编码查询工作得很好,除了开放的注入漏洞;
var queryString = string.Format("SELECT COUNT(*) FROM employs WHERE em_netname = '"+username+"' AND em_password = '"+password+"'");
但是,在修改查询以便我添加参数而不是让漏洞处于打开状态之后,它不起作用。我就是这样做的;
var queryString = string.Format("SELECT COUNT(*) FROM employs WHERE em_netname = @username AND em_password = @password");
OleDbCommand dbfQuery = new OleDbCommand(queryString, dbfCon);
dbfQuery.Parameters.Add("@username", OleDbType.Char).Value = username;
dbfQuery.Parameters.Add("@password", OleDbType.Char).Value = password;
有人可以解释一下为什么这不起作用吗?第一个查询 returns 1 from count,第二个查询 returns 0(它应该 return 1)。
编辑:为了清楚起见,"doesn't work" 我的意思是第一个语句 return 的列数为 1,即有一个用户,查询确实有效。第二个语句,输入的用户名和密码完全相同 returns a 0,即虽然用户名和密码组合确实存在(由第一个语句证明),但查询无法正常工作。
编辑 2:已发布整个 class 代码;
public static bool AuthenticateUser(string username, string password)
{
var constr = ConfigurationManager.ConnectionStrings["dbfString"].ConnectionString;
using (OleDbConnection dbfCon = new OleDbConnection(constr))
{
try
{
dbfCon.Open();
var queryString = string.Format("SELECT COUNT(*) FROM employs WHERE em_netname = @username AND em_password = @password");
OleDbCommand dbfQuery = new OleDbCommand(queryString, dbfCon);
dbfQuery.Parameters.Add("@username", OleDbType.Char).Value = username;
dbfQuery.Parameters.Add("@password", OleDbType.Char).Value = password;
MessageBox.Show("Query: " + queryString);
int numOfColumns = Convert.ToInt32(dbfQuery.ExecuteScalar());
MessageBox.Show(numOfColumns.ToString());
if (numOfColumns == 1)
{
return true;
}
else
{
return false;
}
}
catch (OleDbException)
{
throw;
}
}
}
根据 MSDN,OleDbCommand 不支持命名参数。尝试改用 ?。
The OLE DB .NET Provider does not support named parameters for passing parameters to an SQL statement or a stored procedure called by an OleDbCommand when CommandType is set to Text. In this case, the question mark (?) placeholder must be used. For example:
SELECT * FROM Customers WHERE CustomerID = ?
Therefore, the order in which OleDbParameter objects are added to the OleDbParameterCollection must directly correspond to the position of the question mark placeholder for the parameter in the command text.