1.登陸頁面
1.登陸頁面登陸頁面中需要注意的大致上就是兩條:如何?驗證碼?如何防止sql注入。
1.如何?驗證碼?驗證碼簡單的實現可以通過在伺服器端產生一個圖片完成。前台的話添加一個img html控制項,onclick事件中重新載入checkcode頁面。後台中使用dotnet類庫中內建的drawing來實現產生一個圖片。代碼即文檔,代碼如下:
<img id="Img1" alt="看不清,請點擊我!" onclick="this.src=this.src+'?'" src="../ProjectBBS/CheckCode.aspx" mce_src="ProjectBBS/CheckCode.aspx"<br /> style="width: 73px; height: 22px" align="left" /></td>
public partial class _Default : System.Web.UI.Page<br />{<br /> protected void Page_Load(object sender, EventArgs e)<br /> {<br /> CreateCheckCodeImage(GenerateCheckCode());<br /> }</p><p> private string GenerateCheckCode()<br /> {<br /> int number;<br /> char code;<br /> string checkCode = String.Empty;</p><p> Random random = new Random();</p><p> for (int i = 0; i < 4; i++)<br /> {<br /> number = random.Next();</p><p> code = (char)('0' + (char)(number % 10));</p><p> checkCode += code.ToString();<br /> }</p><p> Response.Cookies.Add(new HttpCookie("CheckCode", checkCode));</p><p> return checkCode;<br /> }</p><p> private void CreateCheckCodeImage(string checkCode)<br /> {<br /> if (checkCode == null || checkCode.Trim() == String.Empty)<br /> return;</p><p> System.Drawing.Bitmap image = new System.Drawing.Bitmap((int)Math.Ceiling((checkCode.Length * 12.5)), 22);<br /> Graphics g = Graphics.FromImage(image);</p><p> try<br /> {<br /> //產生隨機產生器<br /> Random random = new Random();</p><p> //清空圖片背景色<br /> g.Clear(Color.White);</p><p> //畫圖片的背景雜音線<br /> for (int i = 0; i < 2; i++)<br /> {<br /> int x1 = random.Next(image.Width);<br /> int x2 = random.Next(image.Width);<br /> int y1 = random.Next(image.Height);<br /> int y2 = random.Next(image.Height);</p><p> g.DrawLine(new Pen(Color.Black), x1, y1, x2, y2);<br /> }</p><p> Font font = new System.Drawing.Font("Arial", 12, (System.Drawing.FontStyle.Bold));<br /> System.Drawing.Drawing2D.LinearGradientBrush brush = new System.Drawing.Drawing2D.LinearGradientBrush(new Rectangle(0, 0, image.Width, image.Height), Color.Blue, Color.DarkRed, 1.2f, true);<br /> g.DrawString(checkCode, font, brush, 2, 2);</p><p> //畫圖片的前景噪音點<br /> for (int i = 0; i < 100; i++)<br /> {<br /> int x = random.Next(image.Width);<br /> int y = random.Next(image.Height);</p><p> image.SetPixel(x, y, Color.FromArgb(random.Next()));<br /> }</p><p> //畫圖片的邊框線<br /> g.DrawRectangle(new Pen(Color.Silver), 0, 0, image.Width - 1, image.Height - 1);</p><p> System.IO.MemoryStream ms = new System.IO.MemoryStream();<br /> image.Save(ms, System.Drawing.Imaging.ImageFormat.Gif);<br /> Response.ClearContent();<br /> Response.ContentType = "image/Gif";<br /> Response.BinaryWrite(ms.ToArray());<br /> }<br /> finally<br /> {<br /> g.Dispose();<br /> image.Dispose();<br /> }<br /> }<br />}<br />
2.登陸驗證如何去避免sql注入?微軟的官方網站中有一篇文章詳細介紹防止sql注入:http://msdn.microsoft.com/en-us/library/ff648339.aspx。其中主要內容如下:
2.1輸入驗證,永遠不要相信使用者輸入using System;<br />using System.Text.RegularExpressions;</p><p>public void CreateNewUserAccount(string name, string password)<br />{<br /> // Check name contains only lower case or upper case letters,<br /> // the apostrophe, a dot, or white space. Also check it is<br /> // between 1 and 40 characters long<br /> if ( !Regex.IsMatch(userIDTxt.Text, @"^[a-zA-Z'./s]{1,40}$"))<br /> throw new FormatException("Invalid name format");</p><p> // Check password contains at least one digit, one lower case<br /> // letter, one uppercase letter, and is between 8 and 10<br /> // characters long<br /> if ( !Regex.IsMatch(passwordTxt.Text,<br /> @"^(?=.*\d)(?=.*[a-z])(?=.*[A-Z]).{8,10}$" ))<br /> throw new FormatException("Invalid password format");</p><p> // Perform data access logic (using type safe parameters)<br /> ...<br />}
2.2 使用儲存過稱using System.Data;<br />using System.Data.SqlClient;</p><p>using (SqlConnection connection = new SqlConnection(connectionString))<br />{<br /> DataSet userDataset = new DataSet();<br /> SqlDataAdapter myCommand = new SqlDataAdapter(<br /> "LoginStoredProcedure", connection);<br /> myCommand.SelectCommand.CommandType = CommandType.StoredProcedure;<br /> myCommand.SelectCommand.Parameters.Add("@au_id", SqlDbType.VarChar, 11);<br /> myCommand.SelectCommand.Parameters["@au_id"].Value = SSN.Text;</p><p> myCommand.Fill(userDataset);<br />}<br />
在執行過程中,@au_id中傳遞的值是當做純文字的,不會產生sql注入問題。但是這種情況下需要注意的原有的預存程序是如何編寫的。如果是下面的預存程序的話,還是起不到防止注入的功能。
CREATE PROCEDURE dbo.RunQuery<br />@var ntext<br />AS<br /> exec sp_executesql @var<br />GO
2.3 使用參數化的動態sql(字串拼接的形式)using System.Data;<br />using System.Data.SqlClient;</p><p>using (SqlConnection connection = new SqlConnection(connectionString))<br />{<br /> DataSet userDataset = new DataSet();<br /> SqlDataAdapter myDataAdapter = new SqlDataAdapter(<br /> "SELECT au_lname, au_fname FROM Authors WHERE au_id = @au_id",<br /> connection);<br /> myCommand.SelectCommand.Parameters.Add("@au_id", SqlDbType.VarChar, 11);<br /> myCommand.SelectCommand.Parameters["@au_id"].Value = SSN.Text;<br /> myDataAdapter.Fill(userDataset);<br />}
2.4 資料庫許可權如果是查詢資料庫的話,將使用權限設定的低一點
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
