using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Data.SqlClient;
namespace ADO.NET詳解
{
class Program
{
static void Main(string[] args)
{
Console.WriteLine("請輸入使用者名");
string username = Console.ReadLine();
Console.WriteLine("請輸入密碼");
string password = Console.ReadLine();
using (SqlConnection conn = new SqlConnection(@"Data Source=.;Database=Database1;user ID=sa;pwd=888888"))//在Sqlconnection,Sqlcommand,SqlDataReader等使用using,可以
//釋放掉所占用的資源,相當于Disposed()方法.
{
conn.Open();
using (SqlCommand cmd = conn.CreateCommand())
{
//下列語句不使用參數化查詢,容易造成SQL注入攻擊,隻要使用者輸入的密碼為1' or '1'='1格式,即可以正常登陸進去
//cmd.CommandText = "SELECT count(*) from T_Users WHERE UserName='" + username + "' and Password='" + password + "'";
//這裡使用參數化查詢,比較安全
cmd.CommandText = "SELECT count(*) from T_Users WHERE UserName=@Username and Password=@Password";
cmd.Parameters.Add(new SqlParameter("Username",username));
cmd.Parameters.Add(new SqlParameter("Password", password));
int i=Convert.ToInt32(cmd.ExecuteScalar());
if(i>0)
{
Console.WriteLine("登入成功");
}
else
Console.WriteLine("使用者名或密碼錯誤");
}
Console.ReadKey();
}
}
}
注入查詢界面:
![F5公司BIG-IP代碼執行漏洞 CVE-2020-5902CVE-2020-5902 漏洞[圖]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)