时间:2021-07-01 10:21:17 帮助过:21人阅读
使用 command对象有executescalar 方法 ,返回ID号
object autoid = command.executescalar();
2、sqldatareader对象访问索引
reader.getString(索引)
reader.getInt32(索引)
3、SQL带参数
原始SQL语句:select count(*) from tbusers where username=‘abc‘ and userpass=‘abc‘
注入后的SQL:select count(*) from tbusers where username=‘abc‘ or 1=1 -- and userpass=‘abc‘
注入SQL后,会绕过注册验证,所以建议使用带参数的sql或者存储过程.
- <span style="color: #0000ff;">string</span> connstr=<span style="color: #800000;">"</span><span style="color: #800000;">Data source=.;Initial Catalog=mydb;Integrated Security=true</span><span style="color: #800000;">"</span><span style="color: #000000;">;
- </span><span style="color: #0000ff;">using</span>(SqlConnection conn = <span style="color: #0000ff;">new</span><span style="color: #000000;"> SqlConnection(connstr))
- {
- </span><span style="color: #008000;">//</span><span style="color: #008000;">不再拼接SQL语句,使用变量 ,变量以@来标志</span>
- <span style="color: #0000ff;">string</span> sql=<span style="color: #800000;">"</span><span style="color: #800000;">select * from tbusers where username=@username and userpass=@userpass</span><span style="color: #800000;">"</span><span style="color: #000000;">;
- </span><span style="color: #0000ff;">using</span>(SqlCommand command = <span style="color: #0000ff;">new</span><span style="color: #000000;"> SqlCommand(sql,conn))
- {
- SqlParameter paramUsername </span>= <span style="color: #0000ff;">new</span> SqlParameter(<span style="color: #800000;">"</span><span style="color: #800000;">@username</span><span style="color: #800000;">"</span>,SqlDbType.VarChar,<span style="color: #800080;">50</span>){value=<span style="color: #000000;">txtUsername.text};
- SqlParameter paramUserpass </span>= <span style="color: #0000ff;">new</span> SqlPatameter(<span style="color: #800000;">"</span><span style="color: #800000;">@userpass</span><span style="color: #800000;">"</span>,SqlDbType,VarChar,<span style="color: #800080;">50</span>){value=<span style="color: #000000;">txtUserpass.text};
- command.Parameters.add(paramUsername);
- command.Parameters.add(paramUserpass);
- conn.open();
- </span><span style="color: #0000ff;">object</span> result =<span style="color: #000000;"> command.executescalar();
- }
- }</span>
多参数的另一种简便写法,使用数组的形式
- SqlParam[] params = new SqlParam[]<br>{
- new SqlParameter("@username",SqlDbType.VarChar,50){value=<span>txtUsername.text},<br></span>
- new SqlPatameter("@userpass",SqlDbType,VarChar,50){value=<span>txtUserpass.text}</span>
- };<br>command.Parameters.AddRange(params);
另一个简便写法:
- command.Parameters.AddWithValues(<span style="color: #800000;">"</span><span style="color: #800000;">@username</span><span style="color: #800000;">"</span><span style="color: #000000;">,txtUsername.text);
- command.Parameters.AddWithValues(</span><span style="color: #800000;">"</span><span style="color: #800000;">@userpass</span><span style="color: #800000;">"</span>,txtUserpass.text);
防止SQL注入的办法
标签:pat 注册验证 init tab get 使用 nec com val