ADO.NET 解決注入式攻擊的方式

利用參數傳遞來執行SQL可有效的阻絕 SQL injection
string strSQL = "select * from AdminSystem Where AdminID=@AdminID and AdminPwd=@AdminPwd";
string ConnString = ConfigurationManager.ConnectionStrings["SQLConnectionString"].ToString();

conn = new SqlConnection(ConnString);
cmd = new SqlCommand();
conn.Open();
cmd.Connection = conn;

cmd.Parameters.Add("@AdminID", SqlDbType.NVarChar, 50);
cmd.Parameters.Add("@AdminPwd", SqlDbType.NVarChar, 50);
cmd.Parameters[0].Value = txtID.Text;
cmd.Parameters[1].Value = txtPwd.Text;
cmd.CommandText = strSQL;

SqlDataReader dr = cmd.ExecuteReader();

留言