防Sql注入

xiaoxiao2021-02-28  15

select * from UserInfo where Name='1' or '1'='1' and Pwd='1' or '1'='1'

登录名和密码输入1' or '1'='1会直接进入主窗体

参数化SQL语句后就会防止这种情况

string strSql = "SELECT ID FROM Admin WHERE Name=@Name and Pwd= @Pwd"; SqlParameter[] param = new SqlParameter[] { new SqlParameter("@Name", username) , new SqlParameter("@Pwd", pwd) };if(SqlHelper.Exists(strSql,param)==true)

转载请注明原文地址: https://www.6miu.com/read-2300121.html

最新回复(0)