ADO-Out placeholder (anti-SQL injection attack)

This can be written in a console application when an attack is injected in an add-in program:

Please enter the number: U006

Please enter user name: Invincible

Please enter your password: 1234

Please enter a nickname: hehe

Please enter gender: True

Please enter your birthday: 2000-1-1

Please enter the nationality: N004 '); update Users set password= ' 0000 ';--

Add success!

This not only adds a successful piece of data, but the password for all the data in the Users table in the database is modified to 0000. The data was tampered with and the database was successfully injected into the attack.

So how do we defend this injection attack?

In fact, it is very simple, only need to modify the next program, in the addition of data in C # statements using placeholders, the position occupied on it.

C # Statements:

String nation = Console.ReadLine ();
Conn. Open ();
Cmd.commandtext = "INSERT into Users values (@a,@b,@c,@d,@e,@f,@g)";
cmd. Parameters.clear ();
cmd. Parameters.addwithvalue ("@a", ucode);
cmd. Parameters.addwithvalue ("@b", username);
cmd. Parameters.addwithvalue ("@c", password);
cmd. Parameters.addwithvalue ("@d", nickname);
cmd. Parameters.addwithvalue ("@e", sex);
cmd. Parameters.addwithvalue ("@f", birthday);
cmd. Parameters.addwithvalue ("@g", nation);
int count = cmd. ExecuteNonQuery ();
Conn. Close ();

Use the @xxx placeholder for a good position in advance.

This "N004"); update Users set password= ' 0000 ';--"When the statement executes, it is treated as a whole piece to be stored in the column named Nation (ethnic).

At the same time, the program maintenance staff can clearly see this data in the background of the exception ~ ~ ~

ADO-Out placeholder (anti-SQL injection attack)