2023年6月21日发(作者:)
参数化查询防⽌Sql注⼊拼接sql语句会造成sql注⼊,注⼊演⽰namespace WindowsFormsApp1{ public partial class Form1 : Form { public Form1() { InitializeComponent(); } private void button1_Click(object sender, EventArgs e) { FillData(dataGridView1); } private void FillData(DataGridView dataGrid) { string connStr = tionStrings["Northwind"].ConnectionString; using (SqlConnection conn = new SqlConnection(connStr)) { string sql = "select * from Employees where EmployeeID='" + + "'"; using (SqlCommand sqlCommand = new SqlCommand(sql, conn)) { using (SqlDataAdapter sqlData = new SqlDataAdapter(sqlCommand)) { DataTable dataTable = new DataTable(); (dataTable); urce = dataTable; } } } } }}View Code正常⽣成的Sql语句应该为select * from Employees where EmployeeID='1'输⼊sql实际⽣成的Sql语句为select * from Employees where EmployeeID='' or 1=1 --'所有的数据都查询出来了防⽌注⼊漏洞应该⽤SqlParameter做参数化查询namespace WindowsFormsApp1{ public partial class Form1 : Form { public Form1() { InitializeComponent(); } private void button1_Click(object sender, EventArgs e) { FillData(dataGridView1); } private void FillData(DataGridView dataGrid) { string connStr = tionStrings["Northwind"].ConnectionString; using (SqlConnection conn = new SqlConnection(connStr)) { string sql = "select * from Employees where EmployeeID=@EmployeeID"; using (SqlCommand sqlCommand = new SqlCommand(sql, conn)) { SqlParameter[] sqlParameter = { new SqlParameter("@EmployeeID", ) }; ge(sqlParameter); using (SqlDataAdapter sqlData = new SqlDataAdapter(sqlCommand)) { DataTable dataTable = new DataTable(); (dataTable); urce = dataTable; } } } } }}View Code再输⼊sql注⼊会报错如果⽤在登录或者未经授权的查询时很有⽤重新整理代码using System;using ;using ;using ent;using uration;namespace WindowsFormsApp1{ public partial class Form1 : Form { string connStr = tionStrings["Northwind"].ConnectionString; public Form1() { InitializeComponent(); } private void button1_Click(object sender, EventArgs e) { string sql = "select * from Employees where EmployeeID=@EmployeeID"; SqlParameter[] sqlParameter = { new SqlParameter("@EmployeeID", ) }; FillGridView(sql, dataGridView1, sqlParameter); } private void FillGridView(string sql, DataGridView dataGrid, SqlParameter[] sqlParameter = null) { using (SqlConnection conn = new SqlConnection(connStr)) { using (SqlCommand sqlCommand = new SqlCommand(sql, conn)) { if (sqlParameter != null) { ge(sqlParameter); } using (SqlDataAdapter sqlDataAdapter = new SqlDataAdapter(sqlCommand)) { DataTable dataTable = new DataTable(); (dataTable); urce = dataTable; } } } } }}View Code
2023年6月21日发(作者:)
参数化查询防⽌Sql注⼊拼接sql语句会造成sql注⼊,注⼊演⽰namespace WindowsFormsApp1{ public partial class Form1 : Form { public Form1() { InitializeComponent(); } private void button1_Click(object sender, EventArgs e) { FillData(dataGridView1); } private void FillData(DataGridView dataGrid) { string connStr = tionStrings["Northwind"].ConnectionString; using (SqlConnection conn = new SqlConnection(connStr)) { string sql = "select * from Employees where EmployeeID='" + + "'"; using (SqlCommand sqlCommand = new SqlCommand(sql, conn)) { using (SqlDataAdapter sqlData = new SqlDataAdapter(sqlCommand)) { DataTable dataTable = new DataTable(); (dataTable); urce = dataTable; } } } } }}View Code正常⽣成的Sql语句应该为select * from Employees where EmployeeID='1'输⼊sql实际⽣成的Sql语句为select * from Employees where EmployeeID='' or 1=1 --'所有的数据都查询出来了防⽌注⼊漏洞应该⽤SqlParameter做参数化查询namespace WindowsFormsApp1{ public partial class Form1 : Form { public Form1() { InitializeComponent(); } private void button1_Click(object sender, EventArgs e) { FillData(dataGridView1); } private void FillData(DataGridView dataGrid) { string connStr = tionStrings["Northwind"].ConnectionString; using (SqlConnection conn = new SqlConnection(connStr)) { string sql = "select * from Employees where EmployeeID=@EmployeeID"; using (SqlCommand sqlCommand = new SqlCommand(sql, conn)) { SqlParameter[] sqlParameter = { new SqlParameter("@EmployeeID", ) }; ge(sqlParameter); using (SqlDataAdapter sqlData = new SqlDataAdapter(sqlCommand)) { DataTable dataTable = new DataTable(); (dataTable); urce = dataTable; } } } } }}View Code再输⼊sql注⼊会报错如果⽤在登录或者未经授权的查询时很有⽤重新整理代码using System;using ;using ;using ent;using uration;namespace WindowsFormsApp1{ public partial class Form1 : Form { string connStr = tionStrings["Northwind"].ConnectionString; public Form1() { InitializeComponent(); } private void button1_Click(object sender, EventArgs e) { string sql = "select * from Employees where EmployeeID=@EmployeeID"; SqlParameter[] sqlParameter = { new SqlParameter("@EmployeeID", ) }; FillGridView(sql, dataGridView1, sqlParameter); } private void FillGridView(string sql, DataGridView dataGrid, SqlParameter[] sqlParameter = null) { using (SqlConnection conn = new SqlConnection(connStr)) { using (SqlCommand sqlCommand = new SqlCommand(sql, conn)) { if (sqlParameter != null) { ge(sqlParameter); } using (SqlDataAdapter sqlDataAdapter = new SqlDataAdapter(sqlCommand)) { DataTable dataTable = new DataTable(); (dataTable); urce = dataTable; } } } } }}View Code
发布评论