我的WinForm正在进行SQL注入
本文关键字:注入 SQL 正在进行 WinForm 我的 | 更新日期: 2023-09-27 18:00:52
当我运行注册应用程序时,它似乎正在进行SQL注入,任何人都有任何快速修复建议,我真的不想更改所有内容,而是让它能够在我的第一个项目更新中运行。
string constring = "datasource=127.0.0.1;port=3306;username=root;password=welcome";
string Query = "insert into userdatabase.users (userid, email, passone, passtwo, lastname, firstname) values('" + this.userid_txt.Text + "','" + this.email_txt.Text + "','" + this.passone_txt.Text + "','" + this.passtwo_txt.Text + "','" + this.lastname_txt.Text + "','" + this.firstname_txt.Text + "') ;";
MySqlConnection conDataBase = new MySqlConnection(constring);
MySqlCommand cmdDataBase = new MySqlCommand(Query, conDataBase);
MySqlDataReader myReader;
try
{
conDataBase.Open();
myReader = cmdDataBase.ExecuteReader();
MessageBox.Show("Welcome to iDSTEM!");
while (myReader.Read())
{
}
}
catch (Exception ex)
{
MessageBox.Show(ex.Message);
}
错误说明:
您在我的SQL语法中有一个错误;查看手册。。。检查第1行"userdatabase"附近的语法
为了避免注入,必须使用参数,例如:
string constring = "datasource=127.0.0.1;port=3306;username=root;password=welcome";
string Query = "insert into userdatabase.users (userid, email, passone, passtwo, lastname, firstname) values(@par1,@par2,@par3,@par4,par5,@par6)";
MySqlConnection conDataBase = new MySqlConnection(constring);
MySqlCommand cmd = new MySqlCommand(Query, conDataBase);
cmd.Parameters.AddWithValue( "@par1",this.userid_txt.Text)
cmd.Parameters.AddWithValue("@par2",this.email_txt.Text)
cmd.Parameters.AddWithValue("@par3",this.passone_txt.Text)
cmd.Parameters.AddWithValue( "@par4",this.passtwo_txt.Text )
cmd.Parameters.AddWithValue("@par5",this.lastname_txt.Text)
cmd.Parameters.AddWithValue("@par6",this.firstname_txt.Text)
try
{
conDataBase.Open();
//Execute command
cmd.ExecuteNonQuery(); ///I suppose no need to use datareader...since you make insert
MessageBox.Show("Welcome to iDSTEM!");
catch (Exception ex)
{
MessageBox.Show(ex.Message);
}
这里的"修复"是参数。至于捷径:如果数据库提供程序支持命名参数,dapper可能会有所帮助。我不使用mysql,所以我不能肯定,但如果我们想象mysql支持使用参数名称的@
前缀命名的参数,那么:
// uses "dapper" (search for "Dapper" on NuGet / Package Manager)
connection.Execute(
@"insert into userdatabase.users
(userid, email, passone, passtwo, lastname, firstname)
values(@userid, @email, @passone, @passtwo, @lastname, @firstname)",
new { userid = this.userid_txt.Text,
email = this.email_txt.Text,
passone = this.passone_txt.Text,
passtwo = this.passtwo_txt.Text,
lastname = this.lastname_txt.Text,
firstname = this.firstname_txt.Text} );