-1

我正在做一个可以从数据库中添加和搜索人员的程序。所有功能现在都可以使用,但我想防止 SQL 注入。有任何想法吗?感谢您的帮助!

这是搜索功能:

public static void SearchAll()          //Söka fram alla deltagare och visa det i rutan på skärmen.
{
    Form1.result = "";

    connectionString = @"Data Source=(LocalDB)\MSSQLLocalDB;AttachDbFilename=C:\Users\Carlo\Desktop\Projekt\Examensarbete 2018\AdminPanel\AdminPanel\employees.mdf;Integrated Security=True";

    sql = "SELECT * FROM [employee]";

    cnn = new SqlConnection(connectionString);

    cnn.Open();
    cmd = new SqlCommand(sql, cnn);
    reader = cmd.ExecuteReader();

    while (reader.Read())
    {
        Form1.result += "Email: " + reader.GetValue(1) + Environment.NewLine;
        Form1.result += "First name: " + reader.GetValue(2) + Environment.NewLine;
        Form1.result += "Last name: " + reader.GetValue(3) + Environment.NewLine;
        Form1.result += "Address: " + reader.GetValue(4) + Environment.NewLine;
        Form1.result += "Phonenumber: " + reader.GetValue(5) + Environment.NewLine;                               
        Form1.result += "Jobtitle: " + reader.GetValue(7) + Environment.NewLine;
        Form1.result += "Salary: " + reader.GetValue(6) + Environment.NewLine + Environment.NewLine;
    }
}

这是添加功能:

public static void Add(string AddEmail, string AddFistName, string AddLastName, string AddAddress, string AddPhonenumber, string AddJobTitle, string AddSalary, string checkboxChecker)     //Lägg til en deltagare funktionen.
{
    connectionString = @"Data Source=(LocalDB)\MSSQLLocalDB;AttachDbFilename=C:\Users\Carlo\Desktop\Projekt\Examensarbete 2018\AdminPanel\AdminPanel\employees.mdf;Integrated Security=True";
    using(var conn = new SqlConnection(connectionString))
    {
        var cmd = new SqlCommand("insert into Employee (Email, FirstName, LastName, Address, Phonenumber, Salary, JobTitle, GDPR,StartDate) VALUES ('" + AddEmail + "','" + AddFistName + "','" + AddLastName + "','" + AddAddress + "','" + AddPhonenumber + "', '" + AddJobTitle + "', '" + AddSalary + "', '" + checkboxChecker + "', GETDATE())", conn);
        conn.Open();
        cmd.ExecuteNonQuery();
    }
}

当我尝试这个时,我得到 System.NullReferenceException。我已尝试修复它,但我找不到问题所说的与“电子邮件”有关的问题。

public static void LoginChecker(string email, string Password)          //Funktionen som kollar ifall man får logga in eller inte.
        {
            Form1.result = "";
            failedCounter = 3;
            connectionString = @"Data Source=(LocalDB)\MSSQLLocalDB;AttachDbFilename=C:\Users\Carlo\Desktop\Projekt\Examensarbete 2018\AdminPanel\AdminPanel\employees.mdf;Integrated Security=True";
            sql = "SELECT * FROM Login WHERE UserName = @email AND Password = @password ";
            cmd.Parameters.AddWithValue("@email", email);
            cmd.Parameters.AddWithValue("@password", Password); //the problem says to be here!!!!!!
            cnn = new SqlConnection(connectionString);

            cnn.Open();
            cmd = new SqlCommand(sql, cnn);
            reader = cmd.ExecuteReader();

            if (reader.Read() == true)                          //Om det finns ett inlogg med rätt email och lösenord så kommer man in.
            {
                Form1.Log = "Successful";
            }
            else                                               //Om det inte finns ett inlogg med det som skrivits in så kommer man inte in.
            {

                 Form1.Log = "Failed";

            }
        }
4

1 回答 1

0

1.验证用户输入

如果您的输入仅采用 id 或整数,请添加一些验证以仅接受数字。如果输入很复杂,则使用正则表达式模式来识别正确的输入。

示例视图: 

<asp:TextBox ID="txtUserID" runat="server"></asp:TextBox>
<asp:RequiredFieldValidator ID="rfvUserID" ControlToValidate="txtUserID" Display="Dynamic" runat="server" ErrorMessage="Required"></asp:RequiredFieldValidator>
<asp:RegularExpressionValidator ID="revUserID" runat="server" ErrorMessage="Numbers Only" ValidationExpression="[0-9]+" ControlToValidate="txtUserID"
Display="Dynamic">

2.参数化SQL查询&存储过程

参数化查询在运行 SQL 查询之前会正确替换参数。它完全消除了“脏”输入改变查询含义的可能性,使用参数化查询,除了一般注入之外,您还可以处理所有数据类型、数字(int 和 float)、字符串(带有嵌入式引号)、日期和时间(当 .ToString() 没有使用不变的文化调用并且您的客户移动到具有意外日期格式的机器时,没有格式问题或本地化问题)。

喜欢:

SqlCommand command = new SqlCommand("spDisplayUserByID", connection);
command.CommandType = CommandType.StoredProcedure;
command.Parameters.Add("@userID", SqlDbType.Int).Value = userID;

参考:https ://www.codeproject.com/Articles/813965/Preventing-SQL-Injection-Attack-ASP-NET-Part-I

于 2018-08-17T08:01:04.713 回答