public static int GetUser(string name)
{
try
{
DataTable dtData = new DataTable();
SqlConnection sqlc = Connect(); //这样写法错误 比如传入的参数是 1 ' or '1'='1 将会把表emploreer 中所有数据都删除掉or '1'='1 总会成立
//string strSql = "delete from emploreer where username='"+name+"'"; //我这样写用了Parameters 竟然删除条数为0就是没有被全部删除掉
string strSql = "delete from emploreer where username=@p1"; SqlCommand sqlcom = new SqlCommand(strSql, sqlc);
sqlcom.Parameters.Add("@p1", SqlDbType.VarChar, 50);
sqlcom.Parameters["@p1"].Value = name;
sqlc.Open();
int c = sqlcom.ExecuteNonQuery();
sqlc.Close();
return c;
}
catch (Exception ex)
{
throw;
}
}
SqlCommand .Parameters 竟然有防止sql注入攻击的功能吗?还试巧合
{
try
{
DataTable dtData = new DataTable();
SqlConnection sqlc = Connect(); //这样写法错误 比如传入的参数是 1 ' or '1'='1 将会把表emploreer 中所有数据都删除掉or '1'='1 总会成立
//string strSql = "delete from emploreer where username='"+name+"'"; //我这样写用了Parameters 竟然删除条数为0就是没有被全部删除掉
string strSql = "delete from emploreer where username=@p1"; SqlCommand sqlcom = new SqlCommand(strSql, sqlc);
sqlcom.Parameters.Add("@p1", SqlDbType.VarChar, 50);
sqlcom.Parameters["@p1"].Value = name;
sqlc.Open();
int c = sqlcom.ExecuteNonQuery();
sqlc.Close();
return c;
}
catch (Exception ex)
{
throw;
}
}
SqlCommand .Parameters 竟然有防止sql注入攻击的功能吗?还试巧合
而直接写会把引号当sql语句一部分
怎么是巧合
所以注入无非就是利用....'+ +'......中间插入一段... 或...'....'...等等的么
....'...'....'... '...... 只要引号匹配
string.format("delete from emploreer where username='{0}'",name) ;
string strSql = "delete from emploreer where username='"+name+"'";两个一样都是会全部删掉数据