[英]is this code vulnerable to SQL Injections?
页面加载时,您必须填写一些文本框,然后单击添加:
tbSpyReports spyReport = new tbSpyReports();
spyReport.sgCityLevel = Convert.ToInt32(tbCityLevel.Text);
spyReport.sgCityName = tbCityName_insert.Text;
....
spyReport.insert();
Response.Redirect(Request.RawUrl);
SqlConnection con = ikaConn.getConn();
SqlCommand command = new SqlCommand("INSERT INTO spyReports(cityName, playerName, cityId, islandId, cordX, cordY, " + "cityLevel, cityWall, cityWarehouse, Wood, Wine, Marble, Crystal, Sulfur, hasArmies) VALUES(" + "@cityName, @playerName, @cityId, @islandId, @cordX, @cordY, " + "@cityLevel, @cityWall, @cityWarehouse, @Wood, @Wine, @Marble, @Crystal, @Sulfur, @hasArmies)", con);
command.Parameters.Add(new SqlParameter("cityName", this.cityName));
command.Parameters.Add(new SqlParameter("playerName", this.playerName));
....
command.ExecuteNonQuery();
command.Dispose();
它不应该受到这种形式的传统SQL注入的攻击:
statement = "SELECT * FROM users WHERE name ='" + userName + "';"
当您使用参数化查询时。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.