If string is used during user logon. format String concatenation. You may splice the corresponding code to check the verification code. In this way, the vulnerability exists; however, in net, such behavior is prevented by parameters (in essence, stored procedures ;)
Protected void button#click (object sender, EventArgs e)
{
String constr = "data source =.; initial catalog = UserDB1; User id = sa; password = admin ";
Using (SqlConnection con = new SqlConnection (constr ))
{
// String SQL = string. format ("select count (*) from T_Users where FuserName = '{0}' and Fpassword = '{1}'", txtUserName. text. trim (), txtPassword. text );
// The preceding SQL statement concatenation method has the SQL Injection Vulnerability Issue jk 'or 1 = 1 --
// What if injection vulnerability attacks are avoided? Parameter Method or stored procedure Method
String SQL = "select count (*) from T_Users where FuserName = @ username and Fpassword = @ password ";
Using (SqlCommand cmd = new SqlCommand (SQL, con ))
{
Con. Open ();
// Before executing an SQL statement on the data server, you need to tell it @ username and @ password.
// Cmd. Parameters. AddWithValue ("@ username", txtUserName. Text. Trim ());
// Cmd. Parameters. AddWithValue ("@ password", txtPassword. Text );
// Each parameter is a parameter object
// SqlParameter p1 = new SqlParameter ("@ username", txtUserName. Text. Trim ());
// Cmd. Parameters. Add (p1 );
// SqlParameter p2 = new SqlParameter ("@ password", txtPassword. Text );
// Cmd. Parameters. Add (p2 );
// In many cases, the number of parameters is large.
SqlParameter [] pms = new SqlParameter [] {
New SqlParameter ("@ username", txtUserName. Text. Trim ()),
New SqlParameter ("@ password", txtPassword. Text)
};
Cmd. Parameters. AddRange (pms );
// Monitoring shows that the ADO parameter replacement method avoids injection attacks. It uses a stored procedure to process any input strings as strings.
// Exec sp_executesql n' select count (*) from T_Users where FuserName = @ username and Fpassword = @ password', n' @ username nvarchar (13), @ password nvarchar (4) ', @ username = n' jk' or 1 = 1 -- ', @ password = n' sfds'
// In SQL, the method to convert 'single quotes into strings is to add a single quotation mark before.
// All parameters in SQL start,
Int r = Convert. ToInt32 (cmd. ExecuteScalar (); // send the SQL statement to the data server for execution
Con. Close (); // you can Close the link in advance to improve efficiency.
If (r> 0)
{
Response. Write ("Login successful! ");
}
Else
{
Response. Write ("Login Failed! ");
}