C# 好的预防注射?
所以我制作了一个表单,您可以从DB登录。代码应该是自解释的C# 好的预防注射?,c#,mysql,.net,sql-injection,C#,Mysql,.net,Sql Injection,所以我制作了一个表单,您可以从DB登录。代码应该是自解释的 private void button1_Click(object sender, EventArgs e) { try { string MyConnection = "datasource=localhost;port=3306;username=root;password=xdmemes123"; MySqlConnection myConn = new MySqlConnectio
private void button1_Click(object sender, EventArgs e)
{
try
{
string MyConnection = "datasource=localhost;port=3306;username=root;password=xdmemes123";
MySqlConnection myConn = new MySqlConnection(MyConnection);
MySqlCommand SelectCommand = new MySqlCommand("select * from life.players where DBname='" + this.username.Text + "' and DBpass='" + this.password.Text +"' ; ", myConn);
MySqlDataReader myReader;
myConn.Open();
myReader = SelectCommand.ExecuteReader();
int count = 0;
while (myReader.Read())
{
count = count + 1;
}
if (count == 1)
{
Properties.Settings.Default.Security = "Secure";
Properties.Settings.Default.AdminName = username.Text;
Properties.Settings.Default.AdminPass = password.Text;
Properties.Settings.Default.Save();
MessageBox.Show("Logged in");
this.Hide();
Form2 f2 = new Form2();
f2.ShowDialog();
}
else if (count > 1)
{
Properties.Settings.Default.Security = "Insecure";
MessageBox.Show("Incorrect!");
}
else
{
Properties.Settings.Default.Security = "Insecure";
MessageBox.Show("Incorrect!");
myConn.Close();
}
}
catch (Exception ex)
{
MessageBox.Show("Something went wrong. Error copied to clipboard.");
Clipboard.SetText(ex.Message);
}
}
using (var conn = new SqlConnection( @"datasource=localhost;port=3306;username=root;password=xdmemes123"))
{
conn.Open();
var command = new SqlCommand("", conn);
command.CommandText = "select * from life.players where DBname='@sqlName' and DBpass='@sqlPass";
command.Parameters.Add("@sqlName", SqlDbType.VarChar ).Value = this.username.Text;
command.Parameters.Add("@sqlPass", SqlDbType.VarChar ).Value = this.password.Text;
using (SqlDataReader myReader = command.ExecuteReader())
{
while (myReader.Read())
{
string value = myReader["COLUMN NAME"].ToString();
}
}
}
除了注入问题,我建议您不要散列任何密码。该代码容易受到SQL注入的攻击,事实上,这是一个完美的例子-字符串串联和SELECT*将允许攻击者输入例如,密码x'或1=1;并检索所有用户名和未加密的密码。即使计算结果的不必要循环也会导致明显的延迟,从而告诉攻击者他成功了 以下代码不易被注入,尽管这不是验证密码的正确方法。它仅用于演示目的。请注意,它不使用SELECT*,只使用SELECT计数*:
不,这对于SQL注入是不安全的。仔细阅读它,你会立即发现原因。这正是SQL注入漏洞的实现方式!this.username.Text==0';从某些表中删除-而且你的密码没有散列,这在当今时代也是不可接受的。不,不,不,不!有人告诉我这样可以吗?你说只使用Add?请阅读链接,我不会重复上面的内容。@DavidG AddWithValue足以阻止SQL注入。与原始代码中的许多bug相比,这只是一种轻罪。注意这个答案是如何修复不安全连接的handling@PanagiotisKanavos我从未在这个答案中提到SQL注入部分,我很清楚它是有效的。
//Reuse the same command with different connections
void InitializePlayerCmd()
{
var query = "SELECT COUNT(*) FROM life.players where DBName=@name and DbPass=@pass";
var myCmd= new MySqlCommand(query);
myCmd.Parameters.Add("@name", SqlDbType.VarChar,30 );
myCmd.Parameters.Add("@pass", SqlDbType.VarChar,200 );
_playerCheckCmd=myCmd;
}
//.....
int CheckPlayer(string someUserName, string someAlreadyHashedString)
{
var connectionString=Properties.Settings.Default.MyConnectionString;
using(var myConn= new MySqlConnection(connectionString))
{
_playerCheckCmd.Connection=myConn;
_playerCheckCmd.Parameters["@name"].Value=someUserName;
_playerCheckCmd.Parameters["@pass"].Value=someAlreadyHashedString;
myConn.Open();
var result=_playerCheckCmd.ExecuteScalar();
return result;
}
}