Here use parameterized SQL injection methods to solve problems;
to C # Winform anti-SQl injection language user login as an example to do
try
{
string strconn = ConfigurationManager.ConnectionStrings["sqlConn"].ConnectionString;
SqlConnection conn = new SqlConnection(strconn);
conn.Open();
//解决SQL注入问题,使用参数化
string sql = "select count(*) from Table_user where id=@Id and pass=@Pass";
SqlCommand cmd = new SqlCommand(sql, conn);
//给参数复制
cmd.Parameters.AddWithValue("@Id", textBox1.Text);
cmd.Parameters.AddWithValue("@Pass", textBox2.Text);
int res = (int)cmd.ExecuteScalar();
if (res !=0)
{
MessageBox.Show("ok");
}
else
{
MessageBox.Show("error");
}
conn.Close();
}
catch (Exception ex)
{
MessageBox.Show("error");
MessageBox.Show(ex.Message.ToString() + "失败");
}
FIG Results:
In: account as "s' or 1 = 1 - " Example
password Cookin;