很好地预防 MYSQL 注射?
Good prevention from MYSQL injection?
所以我制作了一个表单,您可以在其中从数据库登录。代码应该是不言自明的。
private void button1_Click(object sender, EventArgs e)
{
try
{
string MyConnection = "datasource=localhost;port=3306;username=root;password=xdmemes123";
MySqlConnection myConn = new MySqlConnection(MyConnection);
MySqlCommand SelectCommand = new MySqlCommand("select * from life.players where DBname='" + this.username.Text + "' and DBpass='" + this.password.Text +"' ; ", myConn);
MySqlDataReader myReader;
myConn.Open();
myReader = SelectCommand.ExecuteReader();
int count = 0;
while (myReader.Read())
{
count = count + 1;
}
if (count == 1)
{
Properties.Settings.Default.Security = "Secure";
Properties.Settings.Default.AdminName = username.Text;
Properties.Settings.Default.AdminPass = password.Text;
Properties.Settings.Default.Save();
MessageBox.Show("Logged in");
this.Hide();
Form2 f2 = new Form2();
f2.ShowDialog();
}
else if (count > 1)
{
Properties.Settings.Default.Security = "Insecure";
MessageBox.Show("Incorrect!");
}
else
{
Properties.Settings.Default.Security = "Insecure";
MessageBox.Show("Incorrect!");
myConn.Close();
}
}
catch (Exception ex)
{
MessageBox.Show("Something went wrong. Error copied to clipboard.");
Clipboard.SetText(ex.Message);
}
}
但我的问题是这是否可以避免 MYSQL 注射?如果没有,我该怎么做才能确保安全?
如果可能,写下或解释如何写这段代码。我对这种编码很陌生,但真的很喜欢它并想继续我的计划。
您可以使用 Parameters.Add,因为内联文本允许注入,更好的 SQL 的示例是:
using (var conn = new SqlConnection( @"datasource=localhost;port=3306;username=root;password=xdmemes123"))
{
conn.Open();
var command = new SqlCommand("", conn);
command.CommandText = "select * from life.players where DBname='@sqlName' and DBpass='@sqlPass";
command.Parameters.Add("@sqlName", SqlDbType.VarChar ).Value = this.username.Text;
command.Parameters.Add("@sqlPass", SqlDbType.VarChar ).Value = this.password.Text;
using (SqlDataReader myReader = command.ExecuteReader())
{
while (myReader.Read())
{
string value = myReader["COLUMN NAME"].ToString();
}
}
}
除了注入问题,您没有对任何密码进行哈希处理,我建议调查一下。
代码容易受到 SQL 注入,事实上,这是一个完美的例子 - 字符串连接和 SELECT * 将允许攻击者输入例如密码 x' OR 1=1;# 和检索 所有 用户名和未加密的密码。即使是不必要的计算结果的循环也会导致明显的延迟,这将告诉攻击者他已经成功了。
尽管以下代码不是验证密码的正确方法,但不易受到注入攻击。它仅用于演示目的。请注意,它不使用SELECT *,只有一个SELECT count(*):
//Reuse the same command with different connections
void InitializePlayerCmd()
{
var query = "SELECT COUNT(*) FROM life.players where DBName=@name and DbPass=@pass";
var myCmd= new MySqlCommand(query);
myCmd.Parameters.Add("@name", SqlDbType.VarChar,30 );
myCmd.Parameters.Add("@pass", SqlDbType.VarChar,200 );
_playerCheckCmd=myCmd;
}
//.....
int CheckPlayer(string someUserName, string someAlreadyHashedString)
{
var connectionString=Properties.Settings.Default.MyConnectionString;
using(var myConn= new MySqlConnection(connectionString))
{
_playerCheckCmd.Connection=myConn;
_playerCheckCmd.Parameters["@name"].Value=someUserName;
_playerCheckCmd.Parameters["@pass"].Value=someAlreadyHashedString;
myConn.Open();
var result=_playerCheckCmd.ExecuteScalar();
return result;
}
}
所以我制作了一个表单,您可以在其中从数据库登录。代码应该是不言自明的。
private void button1_Click(object sender, EventArgs e)
{
try
{
string MyConnection = "datasource=localhost;port=3306;username=root;password=xdmemes123";
MySqlConnection myConn = new MySqlConnection(MyConnection);
MySqlCommand SelectCommand = new MySqlCommand("select * from life.players where DBname='" + this.username.Text + "' and DBpass='" + this.password.Text +"' ; ", myConn);
MySqlDataReader myReader;
myConn.Open();
myReader = SelectCommand.ExecuteReader();
int count = 0;
while (myReader.Read())
{
count = count + 1;
}
if (count == 1)
{
Properties.Settings.Default.Security = "Secure";
Properties.Settings.Default.AdminName = username.Text;
Properties.Settings.Default.AdminPass = password.Text;
Properties.Settings.Default.Save();
MessageBox.Show("Logged in");
this.Hide();
Form2 f2 = new Form2();
f2.ShowDialog();
}
else if (count > 1)
{
Properties.Settings.Default.Security = "Insecure";
MessageBox.Show("Incorrect!");
}
else
{
Properties.Settings.Default.Security = "Insecure";
MessageBox.Show("Incorrect!");
myConn.Close();
}
}
catch (Exception ex)
{
MessageBox.Show("Something went wrong. Error copied to clipboard.");
Clipboard.SetText(ex.Message);
}
}
但我的问题是这是否可以避免 MYSQL 注射?如果没有,我该怎么做才能确保安全?
如果可能,写下或解释如何写这段代码。我对这种编码很陌生,但真的很喜欢它并想继续我的计划。
您可以使用 Parameters.Add,因为内联文本允许注入,更好的 SQL 的示例是:
using (var conn = new SqlConnection( @"datasource=localhost;port=3306;username=root;password=xdmemes123"))
{
conn.Open();
var command = new SqlCommand("", conn);
command.CommandText = "select * from life.players where DBname='@sqlName' and DBpass='@sqlPass";
command.Parameters.Add("@sqlName", SqlDbType.VarChar ).Value = this.username.Text;
command.Parameters.Add("@sqlPass", SqlDbType.VarChar ).Value = this.password.Text;
using (SqlDataReader myReader = command.ExecuteReader())
{
while (myReader.Read())
{
string value = myReader["COLUMN NAME"].ToString();
}
}
}
除了注入问题,您没有对任何密码进行哈希处理,我建议调查一下。
代码容易受到 SQL 注入,事实上,这是一个完美的例子 - 字符串连接和 SELECT * 将允许攻击者输入例如密码 x' OR 1=1;# 和检索 所有 用户名和未加密的密码。即使是不必要的计算结果的循环也会导致明显的延迟,这将告诉攻击者他已经成功了。
尽管以下代码不是验证密码的正确方法,但不易受到注入攻击。它仅用于演示目的。请注意,它不使用SELECT *,只有一个SELECT count(*):
//Reuse the same command with different connections
void InitializePlayerCmd()
{
var query = "SELECT COUNT(*) FROM life.players where DBName=@name and DbPass=@pass";
var myCmd= new MySqlCommand(query);
myCmd.Parameters.Add("@name", SqlDbType.VarChar,30 );
myCmd.Parameters.Add("@pass", SqlDbType.VarChar,200 );
_playerCheckCmd=myCmd;
}
//.....
int CheckPlayer(string someUserName, string someAlreadyHashedString)
{
var connectionString=Properties.Settings.Default.MyConnectionString;
using(var myConn= new MySqlConnection(connectionString))
{
_playerCheckCmd.Connection=myConn;
_playerCheckCmd.Parameters["@name"].Value=someUserName;
_playerCheckCmd.Parameters["@pass"].Value=someAlreadyHashedString;
myConn.Open();
var result=_playerCheckCmd.ExecuteScalar();
return result;
}
}