我是ASP.NET的初学者,所以我对如何在ASP.NET中阻止sql注入有一些疑问.我的编程语言是VB.NET,而不是C#,我使用Microsoft Access作为我的数据库.
我的问题是:
>如何保护我的数据库免受sql注入?
>我一直在阅读其他论坛的帖子,他们说使用
带有存储过程的参数,带有动态sql的参数.它们可以在Microsoft Access数据库中实现吗?
解决方法
这是一个非常简单的ASP.NET示例,在VB.NET中通过OleDb使用参数化查询:
Default.aspx的
<%@ Page Title="Home Page" Language="vb" MasterPageFile="~/Site.Master" AutoEventWireup="false"
CodeBehind="Default.aspx.vb" Inherits="vbOleDbSite._Default" %>
<asp:Content ID="HeaderContent" runat="server" ContentPlaceHolderID="HeadContent">
</asp:Content>
<asp:Content ID="BodyContent" runat="server" ContentPlaceHolderID="MainContent">
<p>
First Name: <asp:TextBox ID="FirstName" runat="server"></asp:TextBox><br />
Last Name: <asp:TextBox ID="LastName" runat="server"></asp:TextBox><br />
<br />
<asp:Button ID="btnAddUser" runat="server" Text="Add User" />
<br />
Status: <span id="spanStatus" runat="server">Awaiting submission...</span>
</p>
</asp:Content>
Default.aspx.vb
Public Class _Default
Inherits System.Web.UI.Page
Protected Sub Page_Load(ByVal sender As Object,ByVal e As System.EventArgs) Handles Me.Load
End Sub
Protected Sub btnAddUser_Click(sender As Object,e As EventArgs) Handles btnAddUser.Click
Dim newID As Long = 0
Using con As New OleDb.OleDbConnection
con.ConnectionString = "Provider=Microsoft.ACE.OLEDB.12.0;Data Source=C:\__tmp\testData.accdb;"
con.open()
Using cmd As New OleDb.OleDbCommand
cmd.Connection = con
cmd.CommandText = "INSERT INTO UsersTable (LastName,FirstName) VALUES (?,?);"
cmd.Parameters.AddWithValue("?",Me.LastName.Text)
cmd.Parameters.AddWithValue("?",Me.FirstName.Text)
cmd.ExecuteNonQuery()
End Using
Using cmd As New OleDb.OleDbCommand
cmd.Connection = con
cmd.CommandText = "SELECT @@IDENTITY"
newID = cmd.ExecuteScalar()
End Using
con.Close()
End Using
Me.spanStatus.InnerText = "User """ & Me.FirstName.Text & " " & Me.LastName.Text & _
""" has been added (ID: " & newID.ToString() & ")."
End Sub
End Class
笔记:
>参数化查询使用“?”而不是参数的“真实”名称,因为Access OLEDB忽略参数名称.必须按照它们在OleDbCommand.CommandText中出现的确切顺序定义参数.> [UsersTable]表具有AutoNumber主键,SELECT @@ IDENTITY检索INSERT INTO语句创建的新键值.
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。
