0

我的链接就像

http://localhost/default.aspx?phone=9057897874&order=124556

这是我从 ASP.net 在 URL 中传递参数的基本页面

<%@ Page Language="C#" AutoEventWireup="true" CodeBehind="Default.aspx.cs"     Inherits="WebApplication2._Default" %>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" >
<head runat="server">
<title>Untitled Page</title>
</head>
<body>
<form method="get" action="default.aspx">

<label>Phone No</label>
<input type="text" name="phone" />
<br />
<label>Order No</label>
<input type="text" name="order" />
<br />
<input type="submit" value="submit" />
<br />
</form>

我可以将参数存储在变量中的 c# 文件

namespace WebApplication2
 {
public partial class _Default : System.Web.UI.Page
{
    protected void Page_Load(object sender, EventArgs e)
    {
        string strQuery;

        string phone = Request.QueryString["phone"];
        if (phone != null)
        {
            Response.Write("phone no is ");
            Response.Write(phone);
        }
        else

        {
            Response.Write("You phone number is not correct");
        }

        string order_no = Request.QueryString["order"];
        if (order_no != null)
        {
            Response.Write("Order No is ");
            Response.Write(order_no);
        }
        else
        {
            Response.Write("You Order number is not correct");
        }

//How I can Connect to Mysql Server

        strQuery = "SELECT order_status where orde01=''" + order_no + "'' and phone01=''" + phone + "''";

        Response.Write(strQuery);
}
}

我正在尝试做这样的事情,但它只给我整个查询作为字符串。我是这个话题的新手。任何帮助将不胜感激谢谢

4

2 回答 2

2

首先,根据用户可以更改的输入连接一条 sql 语句,特别是当存储为字符串时,这是 SQL 注入漏洞的创建方式。不要成为那个人。

至于对查询字符串进行标记,请使用命名参数。假设这是您的查询字符串

?orderid=777&phone=777-777-7777

Response.QueryString["orderid"]

将返回 '777' 和

Response.QueryString["phone"]

将返回“777-777-7777”

至于你的 sql 注入问题,你有几个选择。一种是参数化的 sql 语句,请参见此处的 C# 示例:http ://rosettacode.org/wiki/Parametrized_SQL_statement 或使用带参数的存储过程。最不理想但最低限度可接受的选择是严格验证您的输入参数,特别是杀死像 '=;% 之类的字符 - 以及其他一些字符。

编辑:既然我有时间制作一个样本,请检查一下。此示例需要针对您的数据库进行定制,但它在我的带有测试表的 mysql 数据库上工作。您需要安装MySQLConnector包并添加对“MySql.Data”的项目引用,然后代码才能正确编译。

namespace WebApplication2
{
    public partial class _Default : System.Web.UI.Page
    {
        protected void Page_Load(object sender, EventArgs e) {
            //define some regex patterns for validating our data.
            const string PHONEREGEX = @"((\(\d{3}\))|(\d{3}-))\d{3}-\d{4}";
            const string ORDERNUMREGEX = @"\d*";

            bool isValid = true;

            string phone = Request.QueryString["phone"]; //read phone from querystring.

            //validate that arg was provided, and matches our regular expression. this means it contains only numbers and single hyphens
            if(!string.IsNullOrWhiteSpace(phone) && System.Text.RegularExpressions.Regex.IsMatch(phone, PHONEREGEX)){
                Response.Write(HttpUtility.HtmlEncode(string.Format("The phone number is {0}", phone))); //HTML Encode the value before output, to prevent any toxic markup.
            } else {
                Response.Write("Phone number not provided.");
                isValid = false;
            }

            string orderStr = Request.QueryString["order"]; //read ordernum from querystring
            long order = long.MinValue;

            //validate that order was provided and matches the regex meaning it is only numbers. then it parses the value into 'long order'.
            if(!string.IsNullOrWhiteSpace(orderStr) && System.Text.RegularExpressions.Regex.IsMatch(orderStr, ORDERNUMREGEX) && long.TryParse(orderStr, out order)){
                Response.Write(HttpUtility.HtmlEncode(string.Format("The order number is {0}", order))); //use 'long order' instead of orderStr.
            } else {
                Response.Write("Order number not provided.");
                isValid = false;
            }

            //if all arguments are valid, query the DB.
            if (isValid) {
                Response.Write(GetOrderStatus( phone, order));
            }

        }

        private static string GetOrderStatus(string phone, long order) {
            string status = "";

            //create a connection object
            string connstring = "SERVER=<YOUR MYSQL SERVER>;DATABASE=<YOUR DATABASE>;UID=<YOUR USER>;PASSWORD=<YOUR PASSWORD>-";//this is a connection string for mysql. customize it to your needs.
            MySql.Data.MySqlClient.MySqlConnection conn = new MySql.Data.MySqlClient.MySqlConnection(connstring); //put your connection string in this constructor call 

            //create a SQL command object
            using (MySql.Data.MySqlClient.MySqlCommand cmd = new MySql.Data.MySqlClient.MySqlCommand()) { //use a using clause so resources are always released when done.
                cmd.Connection = conn;
                cmd.CommandText = "SELECT `Order_Status` FROM `<YOUR TABLE>` WHERE `Order` = @order AND `Phone` = @phone"; //this needs a From statement 

                //add parameters for your command. they fill in the @order and @phone in the sql statement above. customize these to match the data types in your database.
                cmd.Parameters.Add("order", MySql.Data.MySqlClient.MySqlDbType.Int64,11).Value = order; //do not use @ sign in parameter name
                cmd.Parameters.Add("phone", MySql.Data.MySqlClient.MySqlDbType.VarChar, 50).Value = phone;

                //execute the command, read the results from the query.
                cmd.Connection.Open();
                using (MySql.Data.MySqlClient.MySqlDataReader reader = cmd.ExecuteReader()) {
                    while (reader.Read()) {
                        status = reader.GetString("Order_Status");
                    }
                    cmd.Connection.Close();
                }

            }
            return status;
        }
    }
}
于 2012-11-08T17:33:36.730 回答
0

你应该使用

Request.Form["phone"]
Request.Form["order"]

代替

Request.QueryString["phone"]
Request.QueryString["order"]

这样做的原因是,您正在进行回发并且永远不会重定向到将这些值设置为查询字符串的 url

但是,您的问题标题会建议您有一个包含类似

http://yourdomain.com?phone=0123456789&order=17

于 2012-11-08T17:27:08.120 回答