修改为SQL参数化查询防止SQL注入
<%@ Page Language="C#" AutoEventWireup="true" CodeFile="AdminLogin.aspx.cs" Inherits="AdminLogin" %>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head runat="server">
<title>网站信息管理</title>
<link href="AdminCss/Logincss.css" rel="stylesheet" type="text/css" />
</head>
<body>
<form id="form1" runat="server">
<div id="log_fm">
<div class="log_box">
<div class="btn_box">
<div id="tb_1">
<asp:TextBox ID="userName" runat="server" CssClass="tb"></asp:TextBox>
</div>
<div id="tb_2">
<asp:TextBox ID="passWord" runat="server" CssClass="tb" TextMode="Password"></asp:TextBox>
</div>
<div id="tb_3">
<asp:TextBox ID="txtCode" runat="server" CssClass="tb_yz" ></asp:TextBox>
</div>
<div id="yz">
<asp:Image ID="Image1" runat="server" ImageUrl="~/Admin/RandomImage.aspx" />
</div>
<div id="btn_1">
<asp:Button ID="Button1" runat="server" Text="登录" CssClass="btn"
Font-Size="14px" onclick="Button1_Click" />
</div>
<div id="btn_2">
<asp:Button ID="Button2" runat="server" Text="重置" CssClass="btn"
Font-Size="14px" />
</div>
</div>
</div>
</div>
</form>
</body>
</html>
using System;
using System.Collections;
using System.Configuration;
using System.Data;
using System.Data.OleDb;
using System.Web;
using System.Web.Security;
using System.Web.UI;
using System.Web.UI.HtmlControls;
using System.Web.UI.WebControls;
using System.Web.UI.WebControls.WebParts;
public partial class AdminLogin : System.Web.UI.Page
{
protected void Page_Load(object sender, EventArgs e)
{
}
protected void Button1_Click(object sender, EventArgs e)
{
string strConnnection = @"Provider=Microsoft.Jet.OLEDB.4.0;Data Source=";
strConnnection += Server.MapPath("~/App_Data/DataMaster.mdb");
OleDbConnection conn = new OleDbConnection(strConnnection);
string cmdText = "SELECT COUNT(*) FROM [Admin] WHERE UserName='" + userName.Text + "' AND userPass='" + passWord.Text + "'";
OleDbCommand cmd = new OleDbCommand(cmdText, conn);
conn.Open();
int count = (int)cmd.ExecuteScalar();
conn.Close();
if (string.Compare(Session["CheckCode"].ToString(), this.txtCode.Text, true) == 0 && count >0)
{
Session["myuser"] = userName.Text;
Response.Write("<script>alert('登录成功!')</script>");
ClientScript.RegisterStartupScript(this.GetType(), "e", "<script>window.location.href='Main.aspx';</script>");
return;
}
else
{
Response.Write("<script>alert('输入错误!')</script>");
ClientScript.RegisterStartupScript(this.GetType(), "e", "<script>window.location.href='AdminLogin.aspx';</script>");
}
}
}代码如上,主要是防止SQL注入,要求代码可以直接上传服务器使用,不能有语法错误。
还有就是Web.config中 <customErrors mode="On" defaultRedirect="index.aspx"/> 这样设置是不是就不会显示WEB服务器详细的报错页面。谢谢大家。
替换掉单引号
string cmdText = "SELECT COUNT(*) FROM [Admin] WHERE UserName='" + userName.Text.Replace("'","") + "' AND userPass='" + passWord.Text.Replace("'","") + "'";参数化也可以
protected void Button1_Click(object sender, EventArgs e)
{
string strConnnection = @"Provider=Microsoft.Jet.OLEDB.4.0;Data Source=";
strConnnection += Server.MapPath("~/App_Data/DataMaster.mdb");
OleDbConnection conn = new OleDbConnection(strConnnection);
string cmdText = "SELECT COUNT(*) FROM [Admin] WHERE UserName=? AND userPass=?";
OleDbCommand cmd = new OleDbCommand(cmdText, conn);
//framwork2.0
/*OleDbParameter pUserName = new OleDbParameter("UserName", OleDbType.LongVarWChar,50);
pUserName.Size = 50;
pUserName.Direction = ParameterDirection.Input;
pUserName.Value = userName.Text;
OleDbParameter puserPass = new OleDbParameter("userPass", OleDbType.LongVarWChar, 50);
puserPass.Size = 50;
puserPass.Direction = ParameterDirection.Input;
puserPass.Value = passWord.Text;
cmd.Parameters.Add(pUserName);
cmd.Parameters.Add(puserPass);*/
//对象初始化器需要framework3+以上,如果是2.0版本用上面注释的代码,下面2句的注释掉,要不会出错
cmd.Parameters.Add(new OleDbParameter { ParameterName = "UserName", OleDbType = OleDbType.LongVarWChar, Value = userName.Text,Size=50,Direction=ParameterDirection.Input });
cmd.Parameters.Add(new OleDbParameter { ParameterName = "userPass", OleDbType = OleDbType.LongVarWChar, Value = passWord.Text, Size = 50, Direction = ParameterDirection.Input });
/////////////////////
conn.Open();
int count = (int)cmd.ExecuteScalar();
conn.Close();
if (/*string.Compare(Session["CheckCode"].ToString(), this.txtCode.Text, true) == 0 &&*/ count > 0)
{
Session["myuser"] = userName.Text;
Response.Write("<script>alert('登录成功!')</script>");
ClientScript.RegisterStartupScript(this.GetType(), "e", "<script>window.location.href='Main.aspx';</script>");
return;
}
else
{
Response.Write("<script>alert('输入错误!')</script>");
ClientScript.RegisterStartupScript(this.GetType(), "e", "<script>window.location.href='default.aspx';</script>");
}
}帮助到你可以采纳支持下哦,谢谢~~实测参数化正常运行
如何有效防止sql注入的五种方式。防止sql注入有很多方面,感觉还是自己多百度,多了解这方面的东西,更有利于你的思路去控制。https://m.jb51.net/article/108987.htm
防止SQL注入,就应该将SQL参数化,而不是直接拼接的方式,参数化的SQL里面值要单独写一个Utils工具类,去筛选掉一些可能有SQL注入的问题,比如Delete等等,给你个例子吧
/*
* *
* * Copyright (c) All rights reserved.
* *
* *
* *
* * 版权所有,侵权必究!
*
*/
package com.ts.core.common.xss;
import com.ts.core.common.exception.RRException;
import org.apache.commons.lang.StringUtils;
/**
* SQL过滤
*
* @author Mark sunlightcs@gmail.com
*/
public class SQLFilter {
/**
* SQL注入过滤
* @param str 待验证的字符串
*/
public static String sqlInject(String str){
if(StringUtils.isBlank(str)){
return null;
}
//去掉'|"|;|\字符
str = StringUtils.replace(str, "'", "");
str = StringUtils.replace(str, "\"", "");
str = StringUtils.replace(str, ";", "");
str = StringUtils.replace(str, "\\", "");
//转换成小写
str = str.toLowerCase();
//非法字符
String[] keywords = {"master", "truncate", "insert", "select", "delete", "update", "declare", "alter", "drop"};
//判断是否包含非法字符
for(String keyword : keywords){
if(str.indexOf(keyword) != -1){
throw new RRException("包含非法字符");
}
}
return str;
}
}
您好,我是有问必答小助手,您的问题已经有小伙伴解答了,您看下是否解决,可以追评进行沟通哦~
如果有您比较满意的答案 / 帮您提供解决思路的答案,可以点击【采纳】按钮,给回答的小伙伴一些鼓励哦~~
ps:问答VIP仅需29元,即可享受5次/月 有问必答服务,了解详情>>>https://vip.csdn.net/askvip?utm_source=1146287632