asp.net bbs source Analysis __.net

asp.ne bbst Source Analysis

1. Landing page

1. Landing Page

Landing page to pay attention to the general is two: how to implement the verification code. How to prevent SQL injection.

1. How to implement the verification code.

A simple implementation of the verification code can be done by generating a picture on the server side. Foreground words Add an IMG HTML control, the onclick event reloads the Checkcode page. In the background, use the drawing in the Dotnet class library to generate a picture. The code is the document and the code is as follows:

</td>

Public partial class _default:system.web.ui.page {protected void Page_Load (object sender, EventArgs e) {createcheckcod Eimage (Generatecheckcode ()); private String Generatecheckcode () {int number; Char code; string checkcode = String.Empty; Random Random = new Random (); for (int i = 0; i < 4; i++) {number = random. Next (); Code = (char) (' 0 ' + (char) (number% 10)); Checkcode + = code. ToString (); } Response.Cookies.Add (New HttpCookie ("Checkcode", Checkcode)); return checkcode; } private void Createcheckcodeimage (string checkcode) {if (Checkcode = null | | | Checkcode.trim () = String.Empty) return; System.Drawing.Bitmap image = new System.Drawing.Bitmap ((int) math.ceiling (Checkcode.length * 12.5)), 22; Graphics g = graphics.fromimage (image); try {//Generate random generator Random Random = new Random ();//Clear picture background color g.clear (color.white);//Picture background noise line for (int i = 0; i < 2; i++) { int x1 = Random. Next (image. Width); int x2 = random. Next (image. Width); int y1 = random. Next (image. Height); int y2 = RandoM.next (image. Height); G.drawline (New Pen (Color.Black), x1, y1, x2, y2); Font font = new System.Drawing.Font ("Arial", (System.Drawing.FontStyle.Bold)); System.Drawing.Drawing2D.LinearGradientBrush brush = new System.Drawing.Drawing2D.LinearGradientBrush (New Rectangle (0, 0, image.) Width, image. Height), Color.Blue, color.darkred, 1.2f, true); g.DrawString (Checkcode, Font, brush, 2, 2); Picture foreground noise point for (int i = 0; i < i++) {int x = random. Next (image. Width); int y = random. Next (image. Height); Image. SetPixel (x, Y, Color.FromArgb) (random. Next ())); ///Draw the picture's border line G.drawrectangle (new Pen (Color.silver), 0, 0, image. Width-1, image. HEIGHT-1); System.IO.MemoryStream ms = new System.IO.MemoryStream (); Image. Save (MS, SYSTEM.DRAWING.IMAGING.IMAGEFORMAT.GIF); Response.clearcontent (); Response.ContentType = "Image/gif"; Response.BinaryWrite (Ms. ToArray ()); finally {g.dispose (); image. Dispose (); }}   

2. Log in to verify how to avoid SQL injection.

An article in Microsoft's official website describes the prevention of SQL injection in detail: http://msdn.microsoft.com/en-us/library/ff648339.aspx. The main contents are as follows:

2.1 Input validation, never trust user input

Using System; Using System.Text.RegularExpressions; public void Createnewuseraccount (string name, string password) {//Check name contains to lower case or upper case Lett ERS,//The apostrophe, a dot, or white spaces. Also Check it is//between 1 and characters long if (! Regex.IsMatch (Useridtxt.text, @ "^[a-za-z './s]{1,40}$")) throw new FormatException ("Invalid name format"); Check password contains at least one digit, one lower case/letter, one uppercase letter, and is between 8 and 10/ Characters long if (! Regex.IsMatch (Passwordtxt.text, @ "^ (? =.*/d) (? =.*[a-z]) (? =.*[a-z]). { 8,10}$ ")) throw new FormatException (" Invalid password format "); Perform data access logic (using type safe parameters) ...}

2.2 Using stored-over-known

Using System.Data; Using System.Data.SqlClient; using (SqlConnection connection = new SqlConnection (connectionString)) {DataSet userdataset = new DataSet (); SqlDataAdapter mycommand = new SqlDataAdapter ("Loginstoredprocedure", connection); MyCommand.SelectCommand.CommandType = CommandType.StoredProcedure; MYCOMMAND.SELECTCOMMAND.PARAMETERS.ADD ("@au_id", SqlDbType.VarChar, 11); mycommand.selectcommand.parameters["@au_id"]. Value = SSN. Text; Mycommand.fill (Userdataset); }

During execution, the values passed in the @au_id are treated as plain text and do not generate SQL injection problems. But in this case, the original stored procedures that need to be noted are written. It is not possible to prevent injection if it is the following stored procedure.

CREATE PROCEDURE dbo. RunQuery @var ntext as exec sp_executesql @var go

2.3 Using parameterized Dynamic SQL (in the form of string concatenation)

Using System.Data; Using System.Data.SqlClient; using (SqlConnection connection = new SqlConnection (connectionString)) {DataSet userdataset = new DataSet (); SqlDataAdapter mydataadapter = new SqlDataAdapter ("Select au_lname, au_fname from Authors WHERE au_id = @au_id", connecti ON); MYCOMMAND.SELECTCOMMAND.PARAMETERS.ADD ("@au_id", SqlDbType.VarChar, 11); mycommand.selectcommand.parameters["@au_id"]. Value = SSN. Text; Mydataadapter.fill (Userdataset); }

2.4 Database Permissions

If you are querying the database, set the permissions to a little lower