标签:指令 query tool namespace ati userdata 用户 tle try
字符串攻击样式:
主要利用获取需用户输入的字符串时,通过输入精心编制的含有某种指令的字符串,从而对数据库进行攻击性操作。
‘;(内容);--
那我们如何来防止攻击:主要是用Parameters这个集合
cmd.CommandText = "update Users set PassWord=@pwd,NickName=@nick,Sex=@sex,Birthday=@bir,Nation=@nation,Class=@cla where UserName=@uname";
cmd.Parameters.Clear();
cmd.Parameters.AddWithValue("@pwd", pwd);
cmd.Parameters.AddWithValue("@nick", nick);
cmd.Parameters.AddWithValue("@sex", sex);
cmd.Parameters.AddWithValue("@bir", bir);
cmd.Parameters.AddWithValue("@nation", nation);
cmd.Parameters.AddWithValue("@cla", cla);
cmd.Parameters.AddWithValue("@uname", uname);
conn.Open();
cmd.ExecuteNonQuery();
conn.Close();
通过使用此占位符来进行防字符串攻击,这样,占位符所代表的的仅仅是字符串,不带有代码含义。
__________________________________________________________________________________________________________________________
程序分三层:界面层、业务逻辑层、数据访问层
比较规范的写程序方法,要把业务逻辑层和数据访问层分开,此时需要创建实体类和数据访问类
封装类:
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
namespace 实体类_数据访问类.App_Code
{
public class Users
{
private int _Ids;
/// <summary>
/// ids
/// </summary>
public int Ids
{
get { return _Ids; }
set { _Ids = value; }
}
private string _UserName;
/// <summary>
/// 用户名
/// </summary>
public string UserName
{
get { return _UserName; }
set { _UserName = value; }
}
private string _PassWord;
/// <summary>
/// 密码
/// </summary>
public string PassWord
{
get { return _PassWord; }
set { _PassWord = value; }
}
private string _NickName;
/// <summary>
/// 昵称
/// </summary>
public string NickName
{
get { return _NickName; }
set { _NickName = value; }
}
private bool _Sex;
/// <summary>
/// 性别
/// </summary>
public bool Sex
{
get { return _Sex; }
set { _Sex = value; }
}
private DateTime _Birthday;
/// <summary>
/// 生日
/// </summary>
public DateTime Birthday
{
get { return _Birthday; }
set { _Birthday = value; }
}
private string _Nation;
/// <summary>
/// 民族
/// </summary>
public string Nation
{
get { return _Nation; }
set { _Nation = value; }
}
private string _Class;
/// <summary>
/// 班级
/// </summary>
public string Class
{
get { return _Class; }
set { _Class = value; }
}
}
}
创建以上类,代表一个用户的所有数据
___________________________________________________________________________________________________________________________
数据访问类:便于调用
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Data.SqlClient;
namespace 实体类_数据访问类.App_Code
{
public class UsersData
{
SqlConnection conn = null;
SqlCommand cmd = null;
public UsersData()
{
conn = new SqlConnection("server=.;database=Data0928;user=sa;pwd=123");
cmd = conn.CreateCommand();
}
/// <summary>
/// 将数据添加到Users表中,返回true说明添加成功
/// </summary>
/// <param name="u">要添加到数据表中的Users对象</param>
/// <returns></returns>
public bool Insert(Users u)
{
bool ok = false;
int count = 0;
cmd.CommandText = "insert into Users values(@a,@b,@c,@d,@e,@f,@g)";
cmd.Parameters.Clear();
cmd.Parameters.AddWithValue("@a", u.UserName);
cmd.Parameters.AddWithValue("@b", u.PassWord);
cmd.Parameters.AddWithValue("@c", u.NickName);
cmd.Parameters.AddWithValue("@d", u.Sex);
cmd.Parameters.AddWithValue("@e", u.Birthday);
cmd.Parameters.AddWithValue("@f", u.Nation);
cmd.Parameters.AddWithValue("@g", u.Class);
try
{
conn.Open();
count = cmd.ExecuteNonQuery();
}
catch { ok = false; }
finally
{
conn.Close();
}
if (count > 0)
ok = true;
return ok;
}
public List<Users> Select()
{
List<Users> list = new List<Users>();
cmd.CommandText = "select *from Users";
conn.Open();
SqlDataReader dr = cmd.ExecuteReader();
if (dr.HasRows)
{
while (dr.Read())
{
Users u = new Users();
u.Ids = Convert.ToInt32(dr["ids"]);
u.UserName = dr["UserName"].ToString();
u.PassWord = dr["PassWord"].ToString();
u.NickName = dr["NickName"].ToString();
u.Sex = Convert.ToBoolean(dr["Sex"]);
u.Birthday = Convert.ToDateTime(dr["Birthday"]);
u.Nation = dr["Nation"].ToString();
u.Class = dr["Class"].ToString();
list.Add(u);
}
}
conn.Close();
return list;
}
public bool Select(string username)
{
bool has = false;
cmd.CommandText = "select *from Users where UserName = @a";
cmd.Parameters.Clear();
cmd.Parameters.Add("@a",username);
conn.Open();
SqlDataReader dr = cmd.ExecuteReader();
if (dr.HasRows)
has = true;
conn.Close();
return has;
}
public void Delete(string uname)
{
cmd.CommandText = "delete from Users where UserName = @a";
cmd.Parameters.Clear();
cmd.Parameters.Add("@a",uname);
conn.Open();
cmd.ExecuteNonQuery();
conn.Close();
}
}
}
__________________________________________________________________________________________________________________________
1、一般约定,在项目里新建一个叫做App_Code的文件夹,将封装的类和数据访问类统一放在其中
2、一般实体类使用想要进行操作的数据库中的表名来命名,数据库访问类用此表的表名后面加上Data来命名
3、注意数据访问类开头格式
SqlConnection conn = null;
SqlCommand cmd = null;
public UsersData()
{
conn = new SqlConnection("server=.;database=Data0928;user=sa;pwd=123");
cmd = conn.CreateCommand();
}
___________________________________________________________________________________________________________________________
4、匿名函数:
List<Users> ulist = new UsersData().Select();
直接使用UserData类中的Select方法(查询表中所有数据),并赋值给叫做ulist的泛型集合,从而比较简便的获取到所有数据,节省代码。起到少用内存的效果。
标签:指令 query tool namespace ati userdata 用户 tle try
原文地址:http://www.cnblogs.com/wuxiaochao/p/6119905.html
