当我运行我的注册应用程序时,它似乎会引发 SQL 注入(inject),任何人都可以为我提供任何快速修复建议,我真的宁愿不更改所有内容,而是让它能够在我的第一个项目更新中运行。
string constring = "datasource=127.0.0.1;port=3306;username=root;password=welcome";
string Query = "insert into userdatabase.users (userid, email, passone, passtwo, lastname, firstname) values('" + this.userid_txt.Text + "','" + this.email_txt.Text + "','" + this.passone_txt.Text + "','" + this.passtwo_txt.Text + "','" + this.lastname_txt.Text + "','" + this.firstname_txt.Text + "') ;";
MySqlConnection conDataBase = new MySqlConnection(constring);
MySqlCommand cmdDataBase = new MySqlCommand(Query, conDataBase);
MySqlDataReader myReader;
try
{
conDataBase.Open();
myReader = cmdDataBase.ExecuteReader();
MessageBox.Show("Welcome to iDSTEM!");
while (myReader.Read())
{
}
}
catch (Exception ex)
{
MessageBox.Show(ex.Message);
}
错误指出:
You have an error in my SQL syntax; check the manual... check syntax near "userdatabase" at line 1
最佳答案
为了避免注入(inject),您必须使用参数,例如:
string constring = "datasource=127.0.0.1;port=3306;username=root;password=welcome";
string Query = "insert into userdatabase.users (userid, email, passone, passtwo, lastname, firstname) values(@par1,@par2,@par3,@par4,par5,@par6)";
MySqlConnection conDataBase = new MySqlConnection(constring);
MySqlCommand cmd = new MySqlCommand(Query, conDataBase);
cmd.Parameters.AddWithValue( "@par1",this.userid_txt.Text)
cmd.Parameters.AddWithValue("@par2",this.email_txt.Text)
cmd.Parameters.AddWithValue("@par3",this.passone_txt.Text)
cmd.Parameters.AddWithValue( "@par4",this.passtwo_txt.Text )
cmd.Parameters.AddWithValue("@par5",this.lastname_txt.Text)
cmd.Parameters.AddWithValue("@par6",this.firstname_txt.Text)
try
{
conDataBase.Open();
//Execute command
cmd.ExecuteNonQuery(); ///I suppose no need to use datareader...since you make insert
MessageBox.Show("Welcome to iDSTEM!");
catch (Exception ex)
{
MessageBox.Show(ex.Message);
}
关于c# - 我的 WinForm 正在获取 SQL 注入(inject),我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/23389119/