This article is a mirror article of machine translation, please click here to jump to the original article.

Architect_Programmer_Code Agriculture Network»Architect Programming .Net/C # C# winform prevents sql injection
View: 19901|Reply: 0

[Communication] C# winform prevents sql injection

[Copy link]
Posted on 1/29/2015 10:12:59 AM | | |
Pass by parameter:
string sql = "select count(*) from zhuce where username=@username and pwd=@pwd and type = @type";
SqlConnection conn = new SqlConnection(Common.Context.SqlManager.CONN_STRING);
            conn. Open();

            SqlCommand cmd = new SqlCommand(sql, conn);
cmd.Parameters.Add("@username",SqlDbType.VarChar,30);
cmd.Parameters.Add("@pwd",SqlDbType.VarChar,30);
cmd.Parameters.Add("@type",SqlDbType.VarChar,10);
cmd.Parameters["@username"]. Value = username;
cmd.Parameters["@pwd"]. Value = pwd;
cmd.Parameters["@type"]. Value = power. Text;

            int count = Convert.ToInt32(cmd.ExecuteScalar());

            conn. Close();



Not sure what database you are using
Here is a piece of SQL-Server code
The most important thing to prevent injection attacks is not to use splicing parameters, but to use parameter assignment methods.
SqlConnection conn=......
SqlCommand comm =new SqlCommand ("select count (*)from Table1 where name = @loginame and password = @loginpassword",conn);
comm. Parameters.Add(new SqlParameter("@loginame",SqlDbType.NVarchar,20);
comm. Parameters["@loginame"].value=TextBox1.Text;
comm. Parameters.Add(new SqlParameter("@loginpassword",SqlDbType.NVarchar,20);
comm. Parameters["@loginpassword"].value=TextBox2.Text;
comm. Connection.Open();
int mark=(int)comm. ExecuteScalar()
//--mark用于标记




Previous:comboBox set to read-only (select-only)
Next:SQL Server Composite Index Learning

Related Posts
Disclaimer:
All software, programming materials or articles published by Code Farmer Network are only for learning and research purposes; The above content shall not be used for commercial or illegal purposes, otherwise, users shall bear all consequences. The information on this site comes from the Internet, and copyright disputes have nothing to do with this site. You must completely delete the above content from your computer within 24 hours of downloading. If you like the program, please support genuine software, purchase registration, and get better genuine services. If there is any infringement, please contact us by email.
Mail To:help@itsvse.com