堆栈内存溢出
  简体   繁体   English

避免使用参数进行SQL注入?

[英]Avoiding SQL Injections with Parameters?

 原文  2014-04-30 14:19:45       c#/ mysql/ winforms/ parameters

问题描述

I have recently adjusted my code to avoid getting SQL injections and got helped with adding parameters but now the code is semi-foreign to me and was wondering what object reference is required for MySqlCommand.Parameters 我最近对代码进行了调整,以避免进行SQL注入,并获得了添加参数的帮助,但是现在代码对我来说是半外来的,并且想知道MySqlCommand.Parameters需要哪些对象引用 

MySqlParameter parameter = new MySqlParameter();
        parameter.ParameterName = "@userid";
        parameter.MySqlDbType = MySqlDbType.NVarChar;
        parameter.Direction = ParameterDirection.Input;
        parameter.Value = this.userid_txt.Text;
        parameter.Value = this.email_txt.Text;
        parameter.Value = this.passone_txt.Text;
        parameter.Value = this.passtwo_txt.Text;
        parameter.Value = this.lastname_txt.Text;
        parameter.Value = this.firstname_txt.Text;

        string Query = "insert into userdatabase.users (userid, email, passone, passtwo, lastname, firstname) values(@userid,@email,@passone,@passtwo,@lastname_txt,@firstname)";
        MySqlCommand.Parameters.AddWithValue("@userid", this.userid_txt.Text);
        MySqlCommand.Parameters.AddWithValue("@email", this.email_txt.Text);
        MySqlCommand.Parameters.AddWithValue("@passone", this.passone_txt.Text);
        MySqlCommand.Parameters.AddWithValue("@passtwo", this.passtwo_txt.Text);
        MySqlCommand.Parameters.AddWithValue("@lastname", this.lastname_txt.Text);
        MySqlCommand.Parameters.AddWithValue("@firstname", this.firstname_txt.Text);

        MySqlConnection conDataBase = new MySqlConnection();
        MySqlCommand cmdDataBase = new MySqlCommand(Query, conDataBase);
        MySqlCommand cmd = new MySqlCommand(Query, conDataBase);

        cmd.ExecuteNonQuery()

The errors I have state 我有状态错误

'MySql.Data.MySqlClient.MySqlDbType' does not contain a defintion for 'NVarChar' 'MySql.Data.MySqlClient.MySqlDbType'不包含'NVarChar'的定义

and the main 和主要

An object refrence is required for non-static field, method or property 'MySql.Data.MySqlClient.MySqlCommand.Parameters.get' 非静态字段,方法或属性'MySql.Data.MySqlClient.MySqlCommand.Parameters.get'需要对象刷新

I am relatively new to using MySql so any help is appreciated 我对使用MySql相对较新,因此不胜感激

EDIT: New code which causes a fatal error once I click register which connects to my database 编辑:新代码,一旦单击连接到我的数据库的寄存器,将导致致命错误 

MySqlCommand cmdDataBase = new MySqlCommand();
        MySqlParameter parameter = new MySqlParameter();

        string constring = "datasource=127.0.0.1;port=3306;username=root;password=welcome";
        string Query = "insert into userdatabase.users (userid, email, passone, passtwo, lastname, firstname) values(@userid,@email,@passone,@passtwo,@lastname_txt,@firstname)";
        cmdDataBase.Parameters.Add("@userid", MySqlDbType.VarChar).Value = userid_txt.Text;
        cmdDataBase.Parameters.Add("@email", MySqlDbType.VarChar).Value = email_txt.Text;
        cmdDataBase.Parameters.Add("@passone", MySqlDbType.VarChar).Value = passone_txt.Text;
        cmdDataBase.Parameters.Add("@passtwo", MySqlDbType.VarChar).Value = passtwo_txt.Text;
        cmdDataBase.Parameters.Add("@lastname", MySqlDbType.VarChar).Value = lastname_txt.Text;
        cmdDataBase.Parameters.Add("@firstname", MySqlDbType.VarChar).Value = firstname_txt.Text;


        MySqlConnection conDataBase = new MySqlConnection(constring);
        MySqlCommand cmd = new MySqlCommand(Query, conDataBase);

        try {
            conDataBase.Open();
            cmd.ExecuteNonQuery();
            MessageBox.Show("Welcome to iDSTEM!");
        }
            catch (Exception ex)
        {
                MessageBox.Show(ex.Message);
            }

1 个解决方案

解决方案1
 1  2014-04-30 14:21:15

You need the command itself - you're building it later: 您需要命令本身-您将在以后构建它: 

MySqlCommand cmdDataBase = new MySqlCommand(Query, conDataBase);

Just move that higher, and then use: 只需将其向上移动,然后使用: 

cmdDataBase.Parameters.AddWithValue(...);

It's not clear why you're creating the parameter variable at all, as you're never using it. 目前还不清楚为什么要创建parameter变量,因为您从未使用过它。

I would actually not use AddWithValue , but instead use: 我实际上不会使用AddWithValue ,而是使用: 

cmdDataBase.Parameters.Add("@userid", MySqlDbType.VarChar).Value = userid_txt.Text;
// etc

MySQL doesn't have a type of NVarChar , so MySqlDbType doesn't either, hence your error - I strongly suspect you just want VarChar . MySQL没有NVarChar类型,因此MySqlDbType也没有,因此您的错误-我强烈怀疑您只想要VarChar You don't need to specify the direction - that's implicitly "input" by default. 您无需指定方向-默认情况下隐式为“输入”。

Additionally, you should be using using statements for your connection and command: 此外,您应该对连接和命令使用using语句: 

using (var connection = new MySqlConnection(...))
{
    using (var command = new MySqlCommand(sql, connection))
    {
        ...
    }
}

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 通过 C# 避免带参数的 SQL 注入? - Avoiding SQL Injections with Parameters by C#? C#和SQL参数以防止注入 - C# and SQL parameters to prevent injections 避免不带参数的SQL注入 - Avoiding SQL injection without parameters SQL程序集和SQL注入 - SQL Assemblies and SQL Injections 在gridview中防止SQL注入 - Preventing SQL injections in a gridview 用于在WinForms中检测SQL注入的正则表达式 - Regex for detecting SQL Injections in WinForms 存储过程对SQL注入安全吗? - Are stored procedures safe from SQL injections? 我是否可以防止SQL注入? - Am I protected against SQL injections? SQL代码注入是否安全? (以及为什么) - Is this code safe from SQL injections? (and why) C# Linq 到 SQL 对 ZAC5C74B64B4B8352EF2F181AFFB5AC2 是安全的 - C# Linq to SQL is contains safe for sql injections
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM