Yoh*_* AI 6 vb.net asp.net ms-access sql-injection visual-studio-2008
我是ASP.NET的初学者,所以我对如何在ASP.NET中阻止SQL注入有一些疑问.我的编程语言是VB.NET,而不是C#,我使用Microsoft Access作为我的数据库.
我的问题是:
下面是一个非常简单的 ASP.NET 示例,通过 VB.NET 中的 OleDb 使用参数化查询:
默认.aspx
<%@ Page Title="Home Page" Language="vb" MasterPageFile="~/Site.Master" AutoEventWireup="false"
CodeBehind="Default.aspx.vb" Inherits="vbOleDbSite._Default" %>
<asp:Content ID="HeaderContent" runat="server" ContentPlaceHolderID="HeadContent">
</asp:Content>
<asp:Content ID="BodyContent" runat="server" ContentPlaceHolderID="MainContent">
<p>
First Name: <asp:TextBox ID="FirstName" runat="server"></asp:TextBox><br />
Last Name: <asp:TextBox ID="LastName" runat="server"></asp:TextBox><br />
<br />
<asp:Button ID="btnAddUser" runat="server" Text="Add User" />
<br />
Status: <span id="spanStatus" runat="server">Awaiting submission...</span>
</p>
</asp:Content>
默认.aspx.vb
Public Class _Default
Inherits System.Web.UI.Page
Protected Sub Page_Load(ByVal sender As Object, ByVal e As System.EventArgs) Handles Me.Load
End Sub
Protected Sub btnAddUser_Click(sender As Object, e As EventArgs) Handles btnAddUser.Click
Dim newID As Long = 0
Using con As New OleDb.OleDbConnection
con.ConnectionString = "Provider=Microsoft.ACE.OLEDB.12.0;Data Source=C:\__tmp\testData.accdb;"
con.Open()
Using cmd As New OleDb.OleDbCommand
cmd.Connection = con
cmd.CommandText = "INSERT INTO UsersTable (LastName, FirstName) VALUES (?, ?);"
cmd.Parameters.AddWithValue("?", Me.LastName.Text)
cmd.Parameters.AddWithValue("?", Me.FirstName.Text)
cmd.ExecuteNonQuery()
End Using
Using cmd As New OleDb.OleDbCommand
cmd.Connection = con
cmd.CommandText = "SELECT @@IDENTITY"
newID = cmd.ExecuteScalar()
End Using
con.Close()
End Using
Me.spanStatus.InnerText = "User """ & Me.FirstName.Text & " " & Me.LastName.Text & _
""" has been added (ID: " & newID.ToString() & ")."
End Sub
End Class
笔记:
参数化查询使用“?” 而不是参数的“真实”名称,因为 Access OLEDB 会忽略参数名称。参数必须按照它们在OleDbCommand.CommandText.
[UsersTable] 表有一个AutoNumber主键,并SELECT @@IDENTITY检索该语句创建的新键值INSERT INTO。