1. 爱易网页
  2. ASP.NET教程
  3. 登入账号的漏洞:or '1'='1’-有关问题如何解决啊

登入账号的漏洞:or '1'='1’-有关问题如何解决啊

日期:2014-05-18  浏览次数:20571 次

登入账号的漏洞:or '1'='1’--问题怎么解决啊?
登入账号:or '1'='1’--问题怎么解决啊?

------解决方案--------------------
用参数化SQL语句,
select count(*) from 用户 where 用户名=@userName and 密码=@password

cmd.Parameters.AddWithValue("@userName",TextBoxUserName.Text.Trim);
cmd.Parameters.AddWidthValue("@password",TextBoxUserPwd.Text.Trim);
if((int)cmd.ExecuteScalar()>0)
登录成功;
else
用户名或密码错;
------解决方案--------------------
C# code

 /// <summary>
        /// 用于后台显示登陆后的账户信息
        /// </summary>
        /// <param name="LoginID"></param>
        /// <returns></returns>
        public SysAdmin GetModel(string LoginID)
        {
            SysAdmin sysAdm = null;
            StringBuilder strSql = new StringBuilder();
            strSql.Append("select  top 1 ID,LoginID,LoginPWD,LoginTime,IPID,State,Types from SysAdmin");
            strSql.Append(" where LoginID=@LoginID");
            SqlParameter par = new SqlParameter("@LoginID",LoginID);//【参数化】
            using (SqlDataReader dr=SqlHelperMain.GetReader(strSql.ToString(),par))
            {
                if (dr.Read())
                {
                    sysAdm = new SysAdmin();
                    sysAdm.ID = int.Parse(dr[0].ToString());
                    sysAdm.LoginID = dr[1].ToString();
                    sysAdm.LoginPWD = dr[2].ToString();
                    sysAdm.LoginTime = DateTime.Parse(dr[3].ToString());
                    sysAdm.IPID = int.Parse(dr[4].ToString());
                    sysAdm.State = bool.Parse(dr[5].ToString());
                    sysAdm.Types = int.Parse(dr[6].ToString());
                }
            }
            return sysAdm;
        }

------解决方案--------------------
[code=C#][/code]
  protected void ibtnLogin_Click(object sender, ImageClickEventArgs e)
   {
       int i = this.checkLogin(txtUserName.Text, txtPassword.Text);
       if (i > 0)
       {
           if (Session["GoogleCode"].ToString().ToUpper() == txtCheckCode.Text.ToUpper().Trim())
           {
               StrHelper.AlertAndRedirect("登录成功!", "Default.aspx");
           }
           else
           {
               StrHelper.AlertAndGoBack("验证码输入有误,请重新输入!");
           }
       }
       else
          {
           StrHelper.Alert("用户名或密码不正确!");
           }
         }
  public int checkLogin(string loginName, string loginPwd)
   {
       string ConnString = ConfigurationSettings.AppSettings["ConnectionString"];
       SqlConnection con = new SqlConnection(ConnString);
       SqlCommand myCommand = new SqlCommand("select count(*) from web_user where     userid=@loginName and password=@loginPwd",con);  
       myCommand.Parameters.Add(new SqlParameter("@loginName", SqlDbType.NVarChar, 20));
       myCommand.Parameters["@loginName"].Value = loginName;
       myCommand.Parameters.Add(new SqlParameter("@loginPwd", SqlDbType.NVarChar, 20));
       myCommand.Parameters["@loginPwd"].Value = loginPwd;
       myCommand.Connection.Open();
       int i = (int)myCommand.ExecuteScalar();
        mycomm.Connection.Close();
       myCommand.Connection.Close();
       return i;
}


------解决方案--------------------
http://www.15ae.com/archive/2011-12/05115956455.html防SQL注入的一些分享

相关资料更多>

  1. Data Manipulation with ADO.NET_Asp.NET数据库操作
  2. listview的增删改查有关问题
  3. Wpf ScrollBar自定义样式
  4. asp.net上传文件功能,变态实现法,该怎么解决
  5. 国外的B2C都是用PHP,莫非asp.net在国外就没有人用
  6. 麻烦大家帮小弟我看一下,修改记录有关问题
  7. jmail接收邮件报错?This function is not included in this version of jmail.该如何解决
  8. c#实现类似于SqlServer视图设计器的可浮动窗体_Asp.NET数据库操作
  9. Web程序获取键盘旋钮