发表新帖
发表新帖

Safety from SQL injection

前端 未结
关注
3 810
栀梦
栀梦 2021-01-17 04:24 
SqlConnection con = new SqlConnection(ConfigurationManager.ConnectionStrings[\"techconn\"].ToString());

            SqlCommand com = new SqlCommand(\"select * from
相关标签:
3条回答
  • 没有蜡笔的小新
    2021-01-17 04:45

    In short, the answer is no. You need to always use parameters in your queries.

    SqlCommand com = new SqlCommand("select * from hs where ac between @ac1 and @ac2 and em=@em", con);

    You then add the parameters to your SqlCommand object (com).

    0 讨论(0)
  • 旧巷少年郎
    2021-01-17 04:59

    IF you use direct textbox reference to your sql query then it will never be SQL injection safe any end user can pass Injecting values to your text box and it will be injected.

    Never use UI elements directly to your SQL you can try the below line of CODE

    SqlConnection conn = new SqlConnection(_connectionString);  
conn.Open();  
string s = "select * from hs where ac between @TextBoxOnevaluevariable and
@TextBoxTwovaluevariable and em=@DropdownSelectedTextVariable";

SqlCommand cmd = new SqlCommand(s);  
cmd.Parameters.Add("@TextBoxOnevaluevariable", Texbox1.Text);  
cmd.Parameters.Add("@TextBoxTwovaluevariable", Texbox2.Text);  
cmd.Parameters.Add("@DropdownSelectedTextVariable",DropDownList1.SelectedItem.Text.ToString());  
SqlDataReader reader = cmd.ExecuteReader();
    0 讨论(0)
  • 我在风中等你
    2021-01-17 05:00

    Yes your code is quite prone to issues, not only sql injection attacks. Try the following: 

        public DataTable GetData(string textbox1, string textbox2, string dropdown)
    {
        DataTable result = null;
        string connString = null;

        if (ConfigurationManager.ConnectionStrings["techconn"] != null)
            connString = ConfigurationManager.ConnectionStrings["techconn"].ConnectionString;

        if (!string.IsNullOrEmpty(connString))
        using (SqlConnection con = new SqlConnection(connString))
        {
            con.Open();

            using (SqlCommand cmd = con.CreateCommand())
            {
                cmd.CommandText = "select * from hs where (ac between @a and @b) and em = @c";

                cmd.Parameters.AddWithValue("@a", textbox1);
                cmd.Parameters.AddWithValue("@b", textbox2);
                cmd.Parameters.AddWithValue("@c", dropdown);

                using (SqlDataAdapter da = new SqlDataAdapter(cmd))
                {
                    result = new DataTable();
                    da.Fill(result);

                }
            }
        }

        return result;

    }

    Paste it in your code and use by 

    DataTable dt = GetData(TextBox1.Text, TextBox2.Text, DropDownList1.SelectedItem.Text.ToString());

            if (dt != null && dt.Rows.Count > 0)
            {
                GridView1.DataSource = dt;
                GridView1.DataBind();
            }
            else
            {
                GridView1.Visible = false;
            }

    Test it properly too.

    0 讨论(0)
 看不清?
提交回复
热议问题