我在Visual Basic 2010中使用vb.net并使用Query从应用程序(WinForms)编辑我的在线MySQL数据库。
以下是将新用户插入数据库的示例:
MySQLCon.Open()
Dim SQLADD As String = "INSERT INTO members(member,gamertag,role) VALUES('" & memberToAdd.Text & "','" & membersGamertag.Text & "','" & membersRole.Text & "')"
COMMAND = New MySqlCommand(SQLADD, MySQLCon)
READER = COMMAND.ExecuteReader
memberToAdd.Text = ""
membersGamertag.Text = ""
membersRole.Text = ""
MySQLCon.Close()
MySQLCon.Dispose()
如何防止MySQL数据库注入攻击?
-------------------------------------------- ------------------------------------
这种参数化方式对于这些代码集也是理想的吗?
设置1:
Dim SQLReq As String = "UPDATE members SET req= '" & request & "' WHERE member= '" & My.Settings.username & "'"
submitRequest(SQLReq)
设置2
MySQLCon.Open()
Dim SQLID As String = "SELECT * FROM members WHERE member='" & My.Settings.username & "'"
COMMAND = New MySqlCommand(SQLID, MySQLCon)
READER = COMMAND.ExecuteReader()
While READER.Read
xboxGamertag.Value2 = READER.GetString("gamertag")
vagueRole.Value2 = READER.GetString("role")
vagueID.Value2 = READER.GetInt32("id")
End While
MySQLCon.Close()
MySQLCon.Dispose()
设置3
MySQLCon.Open()
Dim Query As String
Query = "SELECT member FROM members"
command = New MySqlCommand(Query, MySQLCon)
SDA.SelectCommand = command
SDA.Fill(dbDataSet)
bSource.DataSource = dbDataSet
vagueMembers.DataSource = bSource
SDA.Update(dbDataSet)
MySQLCon.Close()
MySQLCon.Dispose()
这是@Fred
的编辑现在设置1:
MySQLCon.Open()
Dim SQLADD As String = "UPDATE members SET req= @request WHERE member= @memberName"
COMMAND = New MySqlCommand(SQLADD, MySQLCon)
COMMAND.Parameters.AddWithValue("@request", request)
COMMAND.Parameters.AddWithValue("@memberName", My.Settings.username)
COMMAND.ExecuteNonQuery()
MySQLCon.Close()
MySQLCon.Dispose()
现在设置2:
MySQLCon.Open()
Dim SQLID As String = "SELECT * FROM members WHERE member= @member"
COMMAND = New MySqlCommand(SQLID, MySQLCon)
COMMAND.Parameters.AddWithValue("@member", My.Settings.username)
COMMAND.ExecuteNonQuery()
READER = COMMAND.ExecuteReader()
While READER.Read
xboxGamertag.Value2 = READER.GetString("gamertag")
vagueRole.Value2 = READER.GetString("role")
vagueID.Value2 = READER.GetInt32("id")
End While
MySQLCon.Close()
MySQLCon.Dispose()
现在设置3:
Same as usual cause you said it should be fine.
这些是正确的吗?是否受到注射?
答案 0 :(得分:2)
MySQLCon.Open()
Dim SQLADD As String = "INSERT INTO members(member,gamertag,role) VALUES(@memberToAdd, @memberGamingTag, @memberRole)"
COMMAND = New MySqlCommand(SQLADD, MySQLCon)
COMMAND.Parameters.AddWithValue("@memberToAdd", memberToAdd.Text)
COMMAND.Parameters.AddWithValue("@memberGamingTag", membersGamertag.Text)
COMMAND.Parameters.AddWithValue("@memberRole", membersRole.Text)
COMMAND.ExecuteNonQuery()
memberToAdd.Text = ""
membersGamertag.Text = ""
membersRole.Text = ""
MySQLCon.Close()
MySQLCon.Dispose()
您不需要使用COMMAND.ExecuteReader,因为您没有检索数据。
你永远不应该像这样构建你的查询:
UPDATE members SET req= '" & request & "' WHERE member= '" & My.Settings.username & "'"
SQL Injection可以使用,你应该像我上面的示例中那样参数化你的查询。这适用于任何查询INSERT,UPDATE,SELECT
答案 1 :(得分:1)
而不是像这样连接你的SQL语句:
Dim SQLADD As String = "INSERT INTO members(member,gamertag,role) VALUES('" & memberToAdd.Text & "','" & membersGamertag.Text & "','" & membersRole.Text & "')"
使用@前缀指定每个参数,不带任何引号:
Dim SQLADD As String = "INSERT INTO members(member,gamertag,role) VALUES(@member, @gamertag, @role)"
然后使用数据库中数据类型的正确变量类型为每个参数指定值:
command.Parameters.AddWithValue("@member", member)
command.Parameters.AddWithValue("@gamertag", gamertag)
command.Parameters.AddWithValue("@role", role)
您的示例编辑不参数化查询。永远不要将SQL字符串与变量连接起来。
答案 2 :(得分:0)
您应该将插入查询放在存储过程中。
conn.Open();
cmd.Connection = conn;
cmd.CommandText = "add_mem";
cmd.CommandType = CommandType.StoredProcedure;
cmd.Parameters.AddWithValue("@member", "Jones");
cmd.Parameters["@lname"].Direction = ParameterDirection.Input;
cmd.Parameters.AddWithValue("@gamertag", "Tom");
cmd.Parameters["@fname"].Direction = ParameterDirection.Input;
cmd.Parameters.AddWithValue("@role", "1940-06-07");
cmd.Parameters["@bday"].Direction = ParameterDirection.Input;
cmd.Parameters["@empno"].Direction = ParameterDirection.Output;
cmd.ExecuteNonQuery();