黑马程序员技术交流社区
标题:
c#如何防止SQL注入攻击以及实现安全散列登陆
[打印本页]
作者:
冯华亮
时间:
2012-8-6 12:43
标题:
c#如何防止SQL注入攻击以及实现安全散列登陆
注意我的sql版本是sql2005,系统是window xp,推荐大家使用测试工具是vs2008,如若不能执行,请把原因发给我 ,因为涉及GUI设计 ,所以有需要的同学可告知一声。
第一段是查询代码
using System;
using System.Collections.Generic;
using System.ComponentModel;
using System.Data;
using System.Drawing;
using System.Linq;
using System.Text;
using System.Windows.Forms;
using System.Data.SqlClient;
using System.Security.Cryptography;
namespace 散列安全登录
{
public partial class Form1 : Form
{
public Form1()
{
InitializeComponent();
}
SqlConnection conn;
SqlCommand cmd;
SHA1CryptoServiceProvider sha;
private void linkLabel1_LinkClicked(object sender, LinkLabelLinkClickedEventArgs e)
{
Form f3 = new Form3();
f3.Show();
}
private void Form1_Load(object sender, EventArgs e)
{
try
{
conn = new SqlConnection(Global.connstring);
sha = new SHA1CryptoServiceProvider();
}
catch(Exception ex)
{ MessageBox.Show("数据库连接失败"+ex.Message); }
}
private void button1_Click(object sender, EventArgs e)
{
cmd = new SqlCommand();
cmd.Connection = conn;
cmd.CommandType = CommandType.Text;
cmd.CommandText = "select count(*) from b where denglu=@denglu and password=@password";
byte[] data = Encoding.ASCII.GetBytes(textBox2.Text);
cmd.Parameters.Add("@denglu",SqlDbType.VarChar,10).Value=textBox1.Text;
cmd.Parameters.Add("@password",SqlDbType.Binary,50).Value= sha.ComputeHash(data);
conn.Open();
int result = (int)cmd.ExecuteScalar();
conn.Close();
if (result > 0)
{
Form f2 = new Form2();
f2.ShowDialog();
}
else
{
MessageBox.Show("failure");
}
}
}
}
复制代码
第二段是散列登陆代码
public partial class Form3 : Form
{
public Form3()
{
InitializeComponent();
}
SqlConnection conn;
SqlCommand cmd;
private void Form3_Load(object sender, EventArgs e)
{
try
{
conn = new SqlConnection(Global.connstring);
}
catch (Exception ex)
{ MessageBox.Show("数据库连接失败" + ex.Message); }
}
private void button1_Click(object sender, EventArgs e)
{
//byte []salt=new byte[8];
//RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider();
//rng.GetBytes(salt);
byte[] data = Encoding.ASCII.GetBytes(textBox2.Text);
byte[] password;
SHA1CryptoServiceProvider sha = new SHA1CryptoServiceProvider();
password=sha.ComputeHash(data);
data = Encoding.ASCII.GetBytes(textBox3.Text);
if (Encoding.ASCII.GetString(password).Equals(Encoding.ASCII.GetString(sha.ComputeHash(data))))
{
cmd = new SqlCommand("insert into b values(@denglu,@password,@salt)",conn);
cmd.Parameters.Add("@denglu", SqlDbType.Char,10).Value = textBox1.Text;
cmd.Parameters.Add("@password", SqlDbType.Binary,50).Value = password;
cmd.Parameters.Add("@salt", SqlDbType.Int, 4).Value = 4;
conn.Open();
cmd.ExecuteNonQuery();
conn.Close();
}
else
{
MessageBox.Show("两次输入的密码不一致","提示");
textBox2.Text = "";
textBox3.Text = "";
textBox2.Focus();
}
}
private void button2_Click(object sender, EventArgs e)
{
this.Close();
}
}
作者:
许庭洲
时间:
2012-8-6 13:50
//变量替换原则防止SQL注入攻击
cmd.CommandText = "select count(*) from b where denglu=@denglu and password=@password";//尽可能全的过滤SQL敏感的语句
byte[] data = Encoding.ASCII.GetBytes(textBox2.Text);
cmd.Parameters.Add("@denglu",SqlDbType.VarChar,10).Value=textBox1.Text;//把数据库里面注入的字段替换掉
cmd.Parameters.Add("@password",SqlDbType.Binary,50).Value= sha.ComputeHash(data);//把数据库里面注入的字段替换掉
//变量替换原则防止SQL注入攻击
cmd = new SqlCommand("insert into b values(@denglu,@password,@salt)",conn);//尽可能全的过滤SQL敏感的语句
cmd.Parameters.Add("@denglu", SqlDbType.Char,10).Value = textBox1.Text;//把数据库里面注入的字段替换掉
cmd.Parameters.Add("@password", SqlDbType.Binary,50).Value = password;//把数据库里面注入的字段替换掉
cmd.Parameters.Add("@salt", SqlDbType.Int, 4).Value = 4;//把数据库里面注入的字段替换掉
欢迎光临 黑马程序员技术交流社区 (http://bbs.itheima.com/)
黑马程序员IT技术论坛 X3.2