C#初学二 17SQL注入攻击带参数的sql语句

    技术2022-07-21  66

    private void button1_Click(object sender, EventArgs e) { //带参数的SQL语句 string constr = "Data Source =.;Initial Catalog =QQ;User ID =sa; Password =sa"; using (SqlConnection con = new SqlConnection(constr)) { string sql = "select count(*) from one where userid=@loginid and passwd=@loginpwd"; using (SqlCommand cmd = new SqlCommand(sql, con)) { 当使用带参数的SQL语句的时候,SQL语句中会出现参数 如果SQL语句中有参数,那么必须在command对象中提供对应的参数和值 创建两个参数对象 SqlParameter paramloginid = new SqlParameter("@loginid", SqlDbType.VarChar, 30) { Value = textuserid.Text.Trim()}; SqlParameter paramloginpwd = new SqlParameter("@loginpwd", SqlDbType.VarChar, 30) { Value = textpwd.Text.Trim() }; cmd.Parameters.Add(paramloginid); cmd.Parameters.Add(paramloginpwd); con.Open(); cmd.ExecuteScalar(); } } } private void button1_Click(object sender, EventArgs e) { string constr = "Data Source =.;Initial Catalog =QQ;User ID =sa; Password =sa"; using (SqlConnection con = new SqlConnection(constr)) { string sql = "select count(*) from one where userid=@loginid and passwd=@loginpwd"; using (SqlCommand cmd = new SqlCommand(sql, con)) { SqlParameter[] pms = new SqlParameter[]{ new SqlParameter("@loginid",SqlDbType.VarChar,30) { Value = textuserid.Text.Trim()}, new SqlParameter("@loginpwd",SqlDbType.VarChar,30) { Value = textpasswd.Text.Trim()}}; cmd.Parameters.AddRange(pms); con.Open(); cmd.ExecuteScalar(); } } }
    Processed: 0.009, SQL: 9