Prevent injection vulnerability in the form of parameters

Source: Internet
Author: User

If string is used during user logon. format String concatenation. You may splice the corresponding code to check the verification code. In this way, the vulnerability exists; however, in net, such behavior is prevented by parameters (in essence, stored procedures ;)
Protected void button#click (object sender, EventArgs e)
{
String constr = "data source =.; initial catalog = UserDB1; User id = sa; password = admin ";
Using (SqlConnection con = new SqlConnection (constr ))
{
// String SQL = string. format ("select count (*) from T_Users where FuserName = '{0}' and Fpassword = '{1}'", txtUserName. text. trim (), txtPassword. text );
// The preceding SQL statement concatenation method has the SQL Injection Vulnerability Issue jk 'or 1 = 1 --
// What if injection vulnerability attacks are avoided? Parameter Method or stored procedure Method
String SQL = "select count (*) from T_Users where FuserName = @ username and Fpassword = @ password ";

Using (SqlCommand cmd = new SqlCommand (SQL, con ))
{
Con. Open ();
// Before executing an SQL statement on the data server, you need to tell it @ username and @ password.
// Cmd. Parameters. AddWithValue ("@ username", txtUserName. Text. Trim ());

// Cmd. Parameters. AddWithValue ("@ password", txtPassword. Text );
// Each parameter is a parameter object
// SqlParameter p1 = new SqlParameter ("@ username", txtUserName. Text. Trim ());
// Cmd. Parameters. Add (p1 );
// SqlParameter p2 = new SqlParameter ("@ password", txtPassword. Text );
// Cmd. Parameters. Add (p2 );
// In many cases, the number of parameters is large.

SqlParameter [] pms = new SqlParameter [] {

New SqlParameter ("@ username", txtUserName. Text. Trim ()),
New SqlParameter ("@ password", txtPassword. Text)
};
Cmd. Parameters. AddRange (pms );

// Monitoring shows that the ADO parameter replacement method avoids injection attacks. It uses a stored procedure to process any input strings as strings.
// Exec sp_executesql n' select count (*) from T_Users where FuserName = @ username and Fpassword = @ password', n' @ username nvarchar (13), @ password nvarchar (4) ', @ username = n' jk' or 1 = 1 -- ', @ password = n' sfds'
// In SQL, the method to convert 'single quotes into strings is to add a single quotation mark before.
// All parameters in SQL start,
Int r = Convert. ToInt32 (cmd. ExecuteScalar (); // send the SQL statement to the data server for execution
Con. Close (); // you can Close the link in advance to improve efficiency.
If (r> 0)
{
Response. Write ("Login successful! ");
}
Else
{
Response. Write ("Login Failed! ");
}

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.