public partial class login21 : System.Web.UI.Page
{
protected void Page_Load(object sender, EventArgs e)
{
}
protected void Button1_Click(object sender, EventArgs e)
{
string constr = "data source=.;initial catalog=T_User;user id=sa;password=910809";
//以上這種拼接sql語句的方法有sql注入的漏洞攻擊的問題 jk' or 1=1--
//如果避免注入漏洞攻擊呢?使用參數的方法或存儲過程的方法
using (SqlConnection con = new SqlConnection(constr))
{
string sql = string.Format("select count(*) from users where [email protected] and [email protected] ");
using (SqlCommand cmd = new SqlCommand(sql, con))
{
con.Open();
SqlParameter[] pms = new SqlParameter[]
{
new SqlParameter ("@username",txtuUserName .Text .Trim ()),
new SqlParameter ("@password",txtuPwd .Text .Trim ())
};
cmd.Parameters.AddRange(pms);
//在資料伺服器端執行sql語句前需要告訴它@username,@password是誰
//cmd.Parameters.AddWithValue("@username",txtuUserName .Text .Trim ());
//cmd.Parameters.AddWithValue("@password",txtuPwd .Text .Trim ());
int r = Convert.ToInt32(cmd.ExecuteScalar());
if (r > 0)
{
Response.Write("登陸成功");
}
else
{
Response.Write("登陸失敗");
}
}
}
}
}
![ADO.NET 查找是否存在表,若存在,删除建立[圖]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)