Bre*_*ker 2 sql vb.net sql-injection
我已经找到了一些这方面的教程,但它们并不是我正在寻找的,我可以使用以下用于用户名字段和密码字段
Private Sub UsernameTextBox_KeyPress(ByVal sender As Object, ByVal e As System.Windows.Forms.KeyPressEventArgs) Handles UsernameTextBox.KeyPress
If Char.IsDigit(e.KeyChar) OrElse Char.IsControl(e.KeyChar) OrElse Char.IsLetter(e.KeyChar) Then
e.Handled = False
Else
e.Handled = True
End If
End Sub
但是对于电子邮件字段,我如何防止针对该文本框的SQL注入,因为某些电子邮件帐户中有句号或破折号?
更新: 下面是我使用的插入语句的示例.
Dim con As SqlConnection
con = New SqlConnection()
Dim cmd As New SqlCommand
Try
con.ConnectionString = "Data Source=" & Server & ";Initial Catalog=" & Database & ";User ID=" & User & ";Password=" & Password & ";"
con.Open()
cmd.Connection = con
cmd.CommandText = "INSERT INTO TB_User(STRUserID, password, Email) VALUES('" & UsernameTextBox.Text & "', '" & MD5Hash(PasswordTextBox.Text) & "', '" & EmailTextBox.Text & "')"
cmd.ExecuteNonQuery()
Catch ex As Exception
MessageBox.Show("Error while inserting record on table..." & ex.Message, "Insert Records")
Finally
con.Close()
End Try
所以我需要使用参数化查询来运行它,而不是现在我是怎么做的?
Ry-*_*Ry- 11
不要过滤掉用户输入中的"无效"数据,而应考虑使用参数化查询,而不是将用户输入直接放入查询中; 这是非常糟糕的形式.
要使用参数运行当前查询,这很简单:
Dim con As New SqlConnection()
Dim cmd As New SqlCommand()
Try
con.ConnectionString = "Data Source=" & Server & ";Initial Catalog=" & Database & ";User ID=" & User & ";Password=" & Password & ";"
con.Open()
cmd.Connection = con
cmd.CommandText = "INSERT INTO TB_User(STRUserID, password, Email) VALUES(@username, @password, @email)"
cmd.Parameters.Add("@username", SqlDbType.VarChar, 50).Value = UsernameTextBox.Text
cmd.Parameters.Add("@password", SqlDbType.Char, 32).Value = MD5Hash(PasswordTextBox.Text)
cmd.Parameters.Add("@email", SqlDbType.VarChar, 50).Value = EmailTextBox.Text
cmd.ExecuteNonQuery()
Catch ex As Exception
MessageBox.Show("Error while inserting record on table..." & ex.Message, "Insert Records")
Finally
con.Close()
End Try
您所要做的就是使用cmd.Parameters.Add参数名称和正确的数据库类型(我猜测可能不匹配,因此您需要更改它们),然后将值设置为您想要在查询.参数名称以a开头@.