c# 如何有效的防止符号为'的sql注入?
1 /// <summary>
2 /// 登录功能
3 /// </summary>
4 /// <param name="model"></param>
5 /// <returns></returns>
6 public UserInfoModel Login(UserInfoModel model)
7 {
8 UserInfoModel userInfoModel = null;
9 string sql = @"select UserName, Password from UserInfos
10 where UserName=@UserName and Password=@Password";
11 SqlParameter[] paras =
12 {
13 new SqlParameter("@UserName",model.UserName),
14 new SqlParameter("@Password",model.Password)
15 };
16 DataRow row = DBHelper.GetDataRow(sql, paras);
17 if (row != null)
18 {
19 userInfoModel = new UserInfoModel();
20 userInfoModel.UserName = row["UserName"].ToString();
21 userInfoModel.Password = row["Password"].ToString();
22 }
23 return userInfoModel;//true false
24 } 1 public static DataRow GetDataRow(string sql, params SqlParameter[] paras)
2 {
3 DataTable dt = null;
4 using (SqlConnection conn = new SqlConnection(ConnStr))
5 {
6 SqlCommand command = new SqlCommand(sql, conn);
7 command.Parameters.AddRange(paras);
8 SqlDataAdapter adapter = new SqlDataAdapter(command);
9 dt = new DataTable();
10 adapter.Fill(dt);
11 }
12 if (dt.Rows.Count > 0)
13 return dt.Rows[0];
14 else
15 return null;
16 }这里为了避免符号为'的sql注入,加了下面的代码
1 string sql = @"select UserName, Password from UserInfos
2 where UserName=@UserName and Password=@Password";
3 SqlParameter[] paras =
4 {
5 new SqlParameter("@UserName",model.UserName),
6 new SqlParameter("@Password",model.Password)
7 };让重要的参数变成数组,符号'也就跟着变成了正常的字符串
操作数据库的时候让command.Parameters.AddRange去执行,这时候重要参数就变成了正常的字符串,不会影响我们的sql语句了
1 SqlCommand command = new SqlCommand(sql, conn); 2 command.Parameters.AddRange(paras);
- 上一篇 »转:PHP中防止SQL注入的方法
- 下一篇 »java JDBC ,二 防止注入/参数化