登入账号的漏洞:or '1'='1’-有关问题如何解决啊
日期:2014-05-18 浏览次数:20509 次
登入账号的漏洞:or '1'='1’--问题怎么解决啊?
登入账号:or '1'='1’--问题怎么解决啊?
------解决方案--------------------
用参数化SQL语句,
select count(*) from 用户 where 用户名=@userName and 密码=@password
cmd.Parameters.AddWithValue("@userName",TextBoxUserName.Text.Trim);
cmd.Parameters.AddWidthValue("@password",TextBoxUserPwd.Text.Trim);
if((int)cmd.ExecuteScalar()>0)
登录成功;
else
用户名或密码错;
------解决方案--------------------
登入账号:or '1'='1’--问题怎么解决啊?
------解决方案--------------------
用参数化SQL语句,
select count(*) from 用户 where 用户名=@userName and 密码=@password
cmd.Parameters.AddWithValue("@userName",TextBoxUserName.Text.Trim);
cmd.Parameters.AddWidthValue("@password",TextBoxUserPwd.Text.Trim);
if((int)cmd.ExecuteScalar()>0)
登录成功;
else
用户名或密码错;
------解决方案--------------------
- C# code
/// <summary>
/// 用于后台显示登陆后的账户信息
/// </summary>
/// <param name="LoginID"></param>
/// <returns></returns>
public SysAdmin GetModel(string LoginID)
{
SysAdmin sysAdm = null;
StringBuilder strSql = new StringBuilder();
strSql.Append("select top 1 ID,LoginID,LoginPWD,LoginTime,IPID,State,Types from SysAdmin");
strSql.Append(" where LoginID=@LoginID");
SqlParameter par = new SqlParameter("@LoginID",LoginID);//【参数化】
using (SqlDataReader dr=SqlHelperMain.GetReader(strSql.ToString(),par))
{
if (dr.Read())
{
sysAdm = new SysAdmin();
sysAdm.ID = int.Parse(dr[0].ToString());
sysAdm.LoginID = dr[1].ToString();
sysAdm.LoginPWD = dr[2].ToString();
sysAdm.LoginTime = DateTime.Parse(dr[3].ToString());
sysAdm.IPID = int.Parse(dr[4].ToString());
sysAdm.State = bool.Parse(dr[5].ToString());
sysAdm.Types = int.Parse(dr[6].ToString());
}
}
return sysAdm;
}
------解决方案--------------------
[code=C#][/code]
protected void ibtnLogin_Click(object sender, ImageClickEventArgs e)
{
int i = this.checkLogin(txtUserName.Text, txtPassword.Text);
if (i > 0)
{
if (Session["GoogleCode"].ToString().ToUpper() == txtCheckCode.Text.ToUpper().Trim())
{
StrHelper.AlertAndRedirect("登录成功!", "Default.aspx");
}
else
{
StrHelper.AlertAndGoBack("验证码输入有误,请重新输入!");
}
}
else
{
StrHelper.Alert("用户名或密码不正确!");
}
}
public int checkLogin(string loginName, string loginPwd)
{
string ConnString = ConfigurationSettings.AppSettings["ConnectionString"];
SqlConnection con = new SqlConnection(ConnString);
SqlCommand myCommand = new SqlCommand("select count(*) from web_user where userid=@loginName and password=@loginPwd",con);
myCommand.Parameters.Add(new SqlParameter("@loginName", SqlDbType.NVarChar, 20));
myCommand.Parameters["@loginName"].Value = loginName;
myCommand.Parameters.Add(new SqlParameter("@loginPwd", SqlDbType.NVarChar, 20));
myCommand.Parameters["@loginPwd"].Value = loginPwd;
myCommand.Connection.Open();
int i = (int)myCommand.ExecuteScalar();
mycomm.Connection.Close();
myCommand.Connection.Close();
return i;
}
------解决方案--------------------
http://www.15ae.com/archive/2011-12/05115956455.html防SQL注入的一些分享
免责声明: 本文仅代表作者个人观点,与爱易网无关。其原创性以及文中陈述文字和内容未经本站证实,对本文以及其中全部或者部分内容、文字的真实性、完整性、及时性本站不作任何保证或承诺,请读者仅作参考,并请自行核实相关内容。
