我将这个验证字符串写在源代码里:主要功能是验证用户的登陆。
请大家帮我看一下怎样使用SQL Server 注入来实现没有正确密码的情况下也能登陆,谢谢。
string selectString = "select AdministratorId,name from Administrators where name ='" + txtName.Text + "' and password ='" + txtPassword.Text + "'";
请大家帮我看一下怎样使用SQL Server 注入来实现没有正确密码的情况下也能登陆,谢谢。
string selectString = "select AdministratorId,name from Administrators where name ='" + txtName.Text + "' and password ='" + txtPassword.Text + "'";
避免的话你可以把用户名密码用SqlParameter
string name = this.txtName.Text;
string password = this.txtPassword.Text;
// Validation of name and password
if (name == null | name.Length < 1)
{
// Empty name
}
if (password == null || password.Length < 1)
{
// Empty password
}SqlConnection connection = new SqlConnection(...);
SqlCommand command = new SqlCommand("SELECT [AdministratorId], [name] FROM [Administrators] WHERE [name] = @name AND [password] = @password");
command.Connection = connection;
command.Parameters.Add("@name", name);
command.Parameters.Add("@password", password);
...
应为
if (name == null || name.Length < 1)
我的主页,欢迎来攻击,呵呵。