很好的防止MYSQL注入
本文关键字:MYSQL 注入 很好 | 更新日期: 2023-09-27 18:15:58
所以我做了一个表单,你从数据库登录。代码应该是自解释的。
private void button1_Click(object sender, EventArgs e)
{
try
{
string MyConnection = "datasource=localhost;port=3306;username=root;password=xdmemes123";
MySqlConnection myConn = new MySqlConnection(MyConnection);
MySqlCommand SelectCommand = new MySqlCommand("select * from life.players where DBname='" + this.username.Text + "' and DBpass='" + this.password.Text +"' ; ", myConn);
MySqlDataReader myReader;
myConn.Open();
myReader = SelectCommand.ExecuteReader();
int count = 0;
while (myReader.Read())
{
count = count + 1;
}
if (count == 1)
{
Properties.Settings.Default.Security = "Secure";
Properties.Settings.Default.AdminName = username.Text;
Properties.Settings.Default.AdminPass = password.Text;
Properties.Settings.Default.Save();
MessageBox.Show("Logged in");
this.Hide();
Form2 f2 = new Form2();
f2.ShowDialog();
}
else if (count > 1)
{
Properties.Settings.Default.Security = "Insecure";
MessageBox.Show("Incorrect!");
}
else
{
Properties.Settings.Default.Security = "Insecure";
MessageBox.Show("Incorrect!");
myConn.Close();
}
}
catch (Exception ex)
{
MessageBox.Show("Something went wrong. Error copied to clipboard.");
Clipboard.SetText(ex.Message);
}
}
但我的问题是,如果这是安全的MYSQL注射?如果不是,我该怎么做才能保证安全?
如果可能的话,写出或解释如何写这段代码。我对这种编码很陌生,但真的很喜欢它,并想继续我的程序。
您可以使用Parameters.Add作为内联文本允许注入发生,一个更好的SQL示例是:
using (var conn = new SqlConnection( @"datasource=localhost;port=3306;username=root;password=xdmemes123"))
{
conn.Open();
var command = new SqlCommand("", conn);
command.CommandText = "select * from life.players where DBname='@sqlName' and DBpass='@sqlPass";
command.Parameters.Add("@sqlName", SqlDbType.VarChar ).Value = this.username.Text;
command.Parameters.Add("@sqlPass", SqlDbType.VarChar ).Value = this.password.Text;
using (SqlDataReader myReader = command.ExecuteReader())
{
while (myReader.Read())
{
string value = myReader["COLUMN NAME"].ToString();
}
}
}
除了注入问题之外,您没有散列任何密码,我建议您检查一下。
代码容易受到SQL注入,事实上,这是一个完美的例子-字符串连接和SELECT *将允许攻击者输入例如,x' OR 1=1;#的密码并检索所有用户名和未加密的密码。即使是计算结果的不必要的循环也会导致明显的延迟,这会告诉攻击者他已经成功了。
下面的代码不容易被注入,尽管它是不是验证密码的正确方法。它仅用于演示目的。注意,它不使用SELECT *,只使用SELECT count(*):
//Reuse the same command with different connections
void InitializePlayerCmd()
{
var query = "SELECT COUNT(*) FROM life.players where DBName=@name and DbPass=@pass";
var myCmd= new MySqlCommand(query);
myCmd.Parameters.Add("@name", SqlDbType.VarChar,30 );
myCmd.Parameters.Add("@pass", SqlDbType.VarChar,200 );
_playerCheckCmd=myCmd;
}
//.....
int CheckPlayer(string someUserName, string someAlreadyHashedString)
{
var connectionString=Properties.Settings.Default.MyConnectionString;
using(var myConn= new MySqlConnection(connectionString))
{
_playerCheckCmd.Connection=myConn;
_playerCheckCmd.Parameters["@name"].Value=someUserName;
_playerCheckCmd.Parameters["@pass"].Value=someAlreadyHashedString;
myConn.Open();
var result=_playerCheckCmd.ExecuteScalar();
return result;
}
}