我具有以下的认证方法:防止SQL注入在asp.net
protected void Button1_Click(object sender, EventArgs e)
{
string s;
s = ConfigurationManager.ConnectionStrings["ConnectionString"].ConnectionString;
SqlConnection con = new SqlConnection(s);
con.Open();
string sqlCmd;
sqlCmd = "SELECT Username, UserPassword FROM Benutzer WHERE Username = @Username AND UserPassword [email protected]";
SqlCommand cmd = new SqlCommand(sqlCmd, con);
String username = tbUsername.Text.Replace("'", "''");
String password = tbPassword.Text.Replace("'", "''");
cmd.Parameters.AddWithValue("Username", username);
cmd.Parameters.AddWithValue("Password", password);
string CurrentName;
CurrentName = (string)cmd.ExecuteScalar();
if (CurrentName != null)
{
Session["UserAuthentication"] = cmd.Parameters[0].ToString();
Session.Timeout = 1;
Response.Redirect("Default.aspx");
}
else
{
lblStatus.ForeColor = System.Drawing.Color.Red;
lblStatus.Text = "Benuztername/Password ungültig!";
}
}
是这足以防止SQL注入?我以前只是用户名和密码,直接进入命令是这样的:
sqlCmd = "SELECT Username, UserPassword FROM Benutzer WHERE Username ='" + username + "' AND UserPassword ='" + pwd + "'";
其中username和pwd那里只是字符串变量中的用户名和密码文本框的内容保存...
编辑:
确定我已经编辑我的代码现在看起来是这样的:
protected void Button1_Click(object sender, EventArgs e)
{
SqlConnection objcon = new SqlConnection(System.Configuration.ConfigurationManager.ConnectionStrings["ConnectionString"].ToString());
SqlDataAdapter objda = new SqlDataAdapter("[MembershipPruefen]", objcon);
objda.SelectCommand.CommandType = CommandType.StoredProcedure;
objda.SelectCommand.Parameters.Add("@Username", SqlDbType.VarChar).Value = tbUsername.Text;
objda.SelectCommand.Parameters.Add("@UserPassword", SqlDbType.VarChar).Value = tbPassword.Text;
objcon.Open();
string CurrentName;
CurrentName = (string)objda.SelectCommand.ExecuteScalar();
if (CurrentName != null)
{
Session["UserAuthentication"] = tbUsername.Text;
Session.Timeout = 1;
Response.Redirect("Default.aspx");
}
else
{
lblStatus.ForeColor = System.Drawing.Color.Red;
lblStatus.Text = "Benuztername/Password ungültig!";
}
objcon.Close();
}
这是我的存储过程:
CREATE PROCEDURE MembershipPruefen (@Username VARCHAR(50), @UserPassword VARCHAR(50))
AS
SELECT Username, UserPassword FROM Benutzer WHERE Username LIKE @Username AND UserPassword LIKE @UserPassword;
这就够了吗?我的网络应用程序是否可以安全地防止SQL入侵或者还有什么可做的事情?
我可以知道为什么你只是不使用存储过程和多层技术?它真的有帮助 – Marwan 2013-03-12 14:16:59
,因为我对此很新,而且我不知道从哪里开始......我的时间有点有限,所以我必须尽快完成这项工作......我阅读了很多文章,消毒,参数化和存储过程通常是安全的,以防SQL注入,所以我做了第一个2,但我不知道它们是否足够... – LeonidasFett 2013-03-12 14:23:19
对你有好处,你跳过字符串连接! – Michel 2013-03-12 15:08:49