如何在这个登入验证页面防止sql注入

using System;
using System.Data;
using System.Configuration;
using System.Collections;
using System.Web;
using System.Web.Security;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Web.UI.WebControls.WebParts;
using System.Web.UI.HtmlControls;
using System.Data.SqlClient; public partial class login : System.Web.UI.Page
{
    protected void Page_Load(object sender, EventArgs e)
    {
    }
    protected void postuser_Click(object sender, EventArgs e)
    {
        SqlConnection con = new SqlConnection(System.Configuration.ConfigurationManager.AppSettings["conn"]);
        con.Open();
        string cmdstr = "select * from h_p_companyuser where h_p_username='"+uname.Text.Trim()+"' and h_p_password='"+upass.Text.Trim()+"'";
        SqlCommand command = new SqlCommand(cmdstr,con);
        int i = (int)command.ExecuteScalar();
        try
        {
            if (i>0)
            {
                Session["username"] = uname.Text;
                Response.Redirect("logincheck.aspx");
            }
            else
            {
                errers.Text = "用户名或密码错误!";
            }
        }
        catch
        {
            errers.Text = "数据库连接错误!!";
        }
        finally
        {
            con.Close();
        }
    }
}

解决方案 »

免费领取超大流量手机卡，每月29元包185G流量+100分钟通话, 中国电信官方发货

string cmdstr = "select * from h_p_companyuser where h_p_username=@name
and h_p_password=@password";
SqlCommand command = new SqlCommand(cmdstr,con);
sqlparameter para1=new ();
para1.value=textbox1.text;
sqlparameter para2=new ();
para2.value=textbox2.text;
command.paramerter.add(para1);
command.paramerter.add(para2);
  int i = (int)command.ExecuteScalar();
        try
        {
            if (i>0)
            {
                Session["username"] = uname.Text;
                Response.Redirect("logincheck.aspx");
            }
            else
            {
                errers.Text = "用户名或密码错误!";
            }
        }
        catch
        {
            errers.Text = "数据库连接错误!!";
        }
        finally
        {
            con.Close();
        }
采用SqlParameter采用参数化查询，就可以防止sql注入
楼上们都对头别拿string拼
有很多方法!
1.存储过程
2.不安全字符过滤(replace方法)
3.比较加密字符串(用户名可以算定义加密算法,密码可以用ha1,md5系统有这两个算法的直接引用)
      sqlparameter para1=new();
        para1.value=uname.Text;
        sqlparameter para2=new();
        para2.value=upass.Text;
        command.paramerter.add(para1);
        command.paramerter.add(para2);这几句是什么意思 sqlparameter para1=new();
                sqlparameter para2=new();
为什么总报错呢?
SqlParameter para1=new SqlParameter("@username",NvarChar,50);
下面自己改
SQL注入太危险了，简直就是美女脱光了衣服给别人看！想起曾经一次被人SQL注入的遭遇，现在都心有余悸！
http://www.shenjk.com
参数化查询，就可以放在注入