参数化提交SQL语句和拼接SQL语句安全性分析 SQL注入 简单对比分析

<%@ Page Language="C#" AutoEventWireup="true" CodeFile="LoginTest.aspx.cs" Inherits="LoginTest" %>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head runat="server">
    <title>参数化提交SQL语句和拼接SQL语句安全性分析 SQL注入 简单对比分析</title>
</head>
<body>
    <form id="form1" runat="server">
    <div>
        用户名:<asp:TextBox ID="TextBox1" runat="server"></asp:TextBox><br />
        <br />
        <br />
        密码:<asp:TextBox ID="TextBox2" runat="server"></asp:TextBox><br />
        <br />
        <br />
        <asp:Button ID="Button1" runat="server" Text="SQL传递参数" OnClick="Button1_Click" />  
        <asp:Button ID="Button2" runat="server" Text="SQL拼接语句" OnClick="Button2_Click" />
    </div>
    </form>
</body>
</html>


 

using System;
using System.Collections.Generic;
using System.Data;
using System.Data.Common;
using System.Data.SqlClient;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
using MSCL;

public partial class LoginTest : System.Web.UI.Page
{
    protected void Page_Load(object sender, EventArgs e)
    {
        //本文仅对 参数化提交SQL语句和拼接SQL语句安全性分析 SQL注入 简单对比分析
        //至于各位在程序中 进行SQL危险字符检测和过滤 不在此讨论范围
    }

    protected void Button1_Click(object sender, EventArgs e)
    {
        string UserName = TextBox1.Text.Trim();
        string Pwd = TextBox2.Text.Trim();

        //实例化Connection对象     
        SqlConnection connection = new SqlConnection("server=localhost;database=demo;uid=sa;pwd=smile");
        connection.Open();
        //实例化Command对象     
        SqlCommand command = new SqlCommand("SELECT COUNT(*) FROM USERINFO WHERE USERNAME=@USERNAME AND UPWD=@UPWD", connection);
        //第一种添加查询参数的例子     
        SqlParameter para1 = new SqlParameter("@USERNAME", SqlDbType.NVarChar, 50);
        para1.Value = UserName;
        command.Parameters.Add(para1);//添加参数     

        SqlParameter para2 = new SqlParameter("@UPWD", SqlDbType.NVarChar, 50);
        para2.Value = Pwd;
        command.Parameters.Add(para2);//添加参数     

        try
        {
            int i = Convert.ToInt32(command.ExecuteScalar());
            if (i > 0)
            {
                Response.Write("成功");
            }
            else
            {
                Response.Write("失败");
            }

        }
        catch { }
        finally
        {
            connection.Close();
        }  
        
        /*
        SqlParameter[] parameters ={ 
             new SqlParameter("@USERNAME",SqlDbType.NVarChar,50),
	         new SqlParameter("@UPWD",SqlDbType.NVarChar,50)};
        parameters[0].Value = UserName;
        parameters[1].Value = Pwd;
        string sql = "SELECT COUNT(*) FROM USERINFO WHERE USERNAME=@USERNAME AND UPWD=@UPWD";
        int i = Convert.ToInt32(MSCL.SqlHelper.GetSingle(sql, parameters));
        if (i > 0)
        {
            Response.Write("成功");
        }
        else
        {
            Response.Write("失败");
        }
        */
    }

    protected void Button2_Click(object sender, EventArgs e)
    {
        string UserName = TextBox1.Text.Trim(); //随便输入
        string Pwd = TextBox2.Text.Trim(); //典型SQL登陆注入 输入  a' or '1'='1
        object obj = MSCL.SqlHelper.GetSingle("SELECT COUNT(*) FROM USERINFO WHERE USERNAME='" + UserName + "' AND UPWD='" + Pwd + "' ");
        if (Convert.ToInt32(obj) > 0)
        {
            Response.Write("成功");
        }
        else
        {
            Response.Write("失败");
        }
    }
}


 

posted @ 2013-04-12 10:16  深南大道  阅读(329)  评论(0)    收藏  举报