Fatal编程技术网
  • csharp/
  • C# 如何防止函数中的SQL注入?

C# 如何防止函数中的SQL注入?

c# sql

C# 如何防止函数中的SQL注入?,c#,sql,sql-injection,sqlbindparameter,C#,Sql,Sql Injection,Sqlbindparameter,我正在做一个程序谁可以添加和搜索的人从数据库。所有函数现在都可以工作,但我想防止SQL注入。有什么想法吗?感谢你的帮助 这是搜索功能: public static void SearchAll() //Söka fram alla deltagare och visa det i rutan på skärmen. { Form1.result = ""; connectionString = @"Data Source=(LocalDB)\MSSQLLoca

我正在做一个程序谁可以添加和搜索的人从数据库。所有函数现在都可以工作,但我想防止SQL注入。有什么想法吗?感谢你的帮助

这是搜索功能:

public static void SearchAll()          //Söka fram alla deltagare och visa det i rutan på skärmen.
{
    Form1.result = "";

    connectionString = @"Data Source=(LocalDB)\MSSQLLocalDB;AttachDbFilename=C:\Users\Carlo\Desktop\Projekt\Examensarbete 2018\AdminPanel\AdminPanel\employees.mdf;Integrated Security=True";

    sql = "SELECT * FROM [employee]";

    cnn = new SqlConnection(connectionString);

    cnn.Open();
    cmd = new SqlCommand(sql, cnn);
    reader = cmd.ExecuteReader();

    while (reader.Read())
    {
        Form1.result += "Email: " + reader.GetValue(1) + Environment.NewLine;
        Form1.result += "First name: " + reader.GetValue(2) + Environment.NewLine;
        Form1.result += "Last name: " + reader.GetValue(3) + Environment.NewLine;
        Form1.result += "Address: " + reader.GetValue(4) + Environment.NewLine;
        Form1.result += "Phonenumber: " + reader.GetValue(5) + Environment.NewLine;                               
        Form1.result += "Jobtitle: " + reader.GetValue(7) + Environment.NewLine;
        Form1.result += "Salary: " + reader.GetValue(6) + Environment.NewLine + Environment.NewLine;
    }
}

public static void Add(string AddEmail, string AddFistName, string AddLastName, string AddAddress, string AddPhonenumber, string AddJobTitle, string AddSalary, string checkboxChecker)     //Lägg til en deltagare funktionen.
{
    connectionString = @"Data Source=(LocalDB)\MSSQLLocalDB;AttachDbFilename=C:\Users\Carlo\Desktop\Projekt\Examensarbete 2018\AdminPanel\AdminPanel\employees.mdf;Integrated Security=True";
    using(var conn = new SqlConnection(connectionString))
    {
        var cmd = new SqlCommand("insert into Employee (Email, FirstName, LastName, Address, Phonenumber, Salary, JobTitle, GDPR,StartDate) VALUES ('" + AddEmail + "','" + AddFistName + "','" + AddLastName + "','" + AddAddress + "','" + AddPhonenumber + "', '" + AddJobTitle + "', '" + AddSalary + "', '" + checkboxChecker + "', GETDATE())", conn);
        conn.Open();
        cmd.ExecuteNonQuery();
    }
}
这是添加功能:

public static void SearchAll()          //Söka fram alla deltagare och visa det i rutan på skärmen.
{
    Form1.result = "";

    connectionString = @"Data Source=(LocalDB)\MSSQLLocalDB;AttachDbFilename=C:\Users\Carlo\Desktop\Projekt\Examensarbete 2018\AdminPanel\AdminPanel\employees.mdf;Integrated Security=True";

    sql = "SELECT * FROM [employee]";

    cnn = new SqlConnection(connectionString);

    cnn.Open();
    cmd = new SqlCommand(sql, cnn);
    reader = cmd.ExecuteReader();

    while (reader.Read())
    {
        Form1.result += "Email: " + reader.GetValue(1) + Environment.NewLine;
        Form1.result += "First name: " + reader.GetValue(2) + Environment.NewLine;
        Form1.result += "Last name: " + reader.GetValue(3) + Environment.NewLine;
        Form1.result += "Address: " + reader.GetValue(4) + Environment.NewLine;
        Form1.result += "Phonenumber: " + reader.GetValue(5) + Environment.NewLine;                               
        Form1.result += "Jobtitle: " + reader.GetValue(7) + Environment.NewLine;
        Form1.result += "Salary: " + reader.GetValue(6) + Environment.NewLine + Environment.NewLine;
    }
}

public static void Add(string AddEmail, string AddFistName, string AddLastName, string AddAddress, string AddPhonenumber, string AddJobTitle, string AddSalary, string checkboxChecker)     //Lägg til en deltagare funktionen.
{
    connectionString = @"Data Source=(LocalDB)\MSSQLLocalDB;AttachDbFilename=C:\Users\Carlo\Desktop\Projekt\Examensarbete 2018\AdminPanel\AdminPanel\employees.mdf;Integrated Security=True";
    using(var conn = new SqlConnection(connectionString))
    {
        var cmd = new SqlCommand("insert into Employee (Email, FirstName, LastName, Address, Phonenumber, Salary, JobTitle, GDPR,StartDate) VALUES ('" + AddEmail + "','" + AddFistName + "','" + AddLastName + "','" + AddAddress + "','" + AddPhonenumber + "', '" + AddJobTitle + "', '" + AddSalary + "', '" + checkboxChecker + "', GETDATE())", conn);
        conn.Open();
        cmd.ExecuteNonQuery();
    }
}
尝试此操作时,我得到System.NullReferenceException。我试图解决它,但我找不到问题,问题是“电子邮件”

1。验证用户输入

如果您的输入只接受ID或整数,请添加一些只接受数字的验证。如果输入很复杂,那么使用正则表达式模式来识别正确的输入

示例视图:

<asp:TextBox ID="txtUserID" runat="server"></asp:TextBox>
<asp:RequiredFieldValidator ID="rfvUserID" ControlToValidate="txtUserID" Display="Dynamic" runat="server" ErrorMessage="Required"></asp:RequiredFieldValidator>
<asp:RegularExpressionValidator ID="revUserID" runat="server" ErrorMessage="Numbers Only" ValidationExpression="[0-9]+" ControlToValidate="txtUserID"
Display="Dynamic">
参考资料:

也使用参数,我为此任务编写了一个可重用的方法:标记上写着“不要在有关仅在Visual Studio中编写的代码的问题上使用此标记”,因此您应该删除该标记。给定示例代码,您应该添加一个标记。其他提示:SqlCommand和SqlDataReader都是IDisposable的,因此它们都应该位于
using
块中。(类似地,第一个代码示例不会使用块将SqlConnection放在
中)。它与SQL注入无关,它是一种基本的C#编程。我可以向您指出代码中需要更改的内容,但在编程时您会遇到这种情况,因此最好自己学习如何解决它。重复链接有一个很好的解释如何做到这一点。请参阅