安全性较高的.Net开发一

//Part1
// this code has a really nasty security flaw
void LogUserName(SqlConnection conn, string userName)
{
   string sqlText = "insert user_names values('" + userName + "')";
   SqlCommand cmd = new SqlCommand(sqlText, conn);
   cmd.ExecuteNonQuery();
}

//Part2
// much more secure code
void LogUserName(SqlConnection conn, string userName)
{
   string sqlText = "insert user_names values(@n)";
   SqlCommand cmd = new SqlCommand(sqlText, conn);
   SqlParameter p = cmd.Parameters.Add("@n",
       SqlDbType.VarChar, userName.Length);
   p.Value = userName;
   cmd.ExecuteNonQuery();
}

//part1's Parameter
Parameter:    SeeYa');drop table user_names--
insert user_names values('SeeYa');drop table user_names--')

以上示例证明在编程过程中大家尽量以参数化方式编程,不要用拼字符串的方式来编写代码。

posted @ 2009-05-20 10:16  SmartFramework@live.jp  阅读(134)  评论(0)    收藏  举报