时间:2021-07-01 10:21:17 帮助过:3人阅读
所以登录的sql尽量写成参数化,
using (SqlConnection cnn = new SqlConnection(con))
{
using (SqlCommand cmd = cnn.CreateCommand())
{
try
{
cmd.CommandText = "select * from User where username=@username and password=@password";
cmd.Parameters.Add(new SqlParameter("@username", username));
cmd.Parameters.Add(new SqlParameter("@password", password));
SqlDataAdapter da = new SqlDataAdapter();
DataSet ds = new DataSet();
da.SelectCommand = cmd;
da.Fill(ds);
cnn.Close(); //记得要加上 关闭
if (ds.Tables[0].Rows.Count > 0)
{
type = Convert.ToInt32(ds.Tables[0].Rows[0]["type"]);
}
}
catch (Exception ex)
{
// type = -2;
logInstance.Info(string.Format("登录出现异常,异常信息为:{0}",ex.Message));
}
}
}
//参数化时,单引号和双引号都会被转义
sql 登录注入
标签: