gpt4 book ai didi

mysql - 如何使用 vb.net 防止 MySQL 数据库注入(inject)攻击?

转载 作者:搜寻专家 更新时间:2023-10-30 20:26:35 26 4
gpt4 key购买 nike

我在 Visual Basic 2010 中使用 vb.net,并使用 Query 从应用程序 (WinForms) 编辑我的在线 MySQL 数据库。

这是一个将新用户插入数据库的示例:

MySQLCon.Open()
Dim SQLADD As String = "INSERT INTO members(member,gamertag,role) VALUES('" & memberToAdd.Text & "','" & membersGamertag.Text & "','" & membersRole.Text & "')"
COMMAND = New MySqlCommand(SQLADD, MySQLCon)
READER = COMMAND.ExecuteReader
memberToAdd.Text = ""
membersGamertag.Text = ""
membersRole.Text = ""
MySQLCon.Close()
MySQLCon.Dispose()

如何防止MySQL数据库注入(inject)攻击?

-------------------------------------------- ------------------------------------

Is this Parameterized way also ideal for these sets of code?

Set 1:

Dim SQLReq As String = "UPDATE members SET req= '" & request & "' WHERE member= '" & My.Settings.username & "'"
submitRequest(SQLReq)

Set 2

MySQLCon.Open()
Dim SQLID As String = "SELECT * FROM members WHERE member='" & My.Settings.username & "'"
COMMAND = New MySqlCommand(SQLID, MySQLCon)
READER = COMMAND.ExecuteReader()
While READER.Read
xboxGamertag.Value2 = READER.GetString("gamertag")
vagueRole.Value2 = READER.GetString("role")
vagueID.Value2 = READER.GetInt32("id")
End While
MySQLCon.Close()
MySQLCon.Dispose()

Set 3

MySQLCon.Open()
Dim Query As String
Query = "SELECT member FROM members"
command = New MySqlCommand(Query, MySQLCon)
SDA.SelectCommand = command
SDA.Fill(dbDataSet)
bSource.DataSource = dbDataSet
vagueMembers.DataSource = bSource
SDA.Update(dbDataSet)
MySQLCon.Close()
MySQLCon.Dispose()

This is an edit for @Fred

Set 1 is now:

MySQLCon.Open()
Dim SQLADD As String = "UPDATE members SET req= @request WHERE member= @memberName"
COMMAND = New MySqlCommand(SQLADD, MySQLCon)
COMMAND.Parameters.AddWithValue("@request", request)
COMMAND.Parameters.AddWithValue("@memberName", My.Settings.username)
COMMAND.ExecuteNonQuery()
MySQLCon.Close()
MySQLCon.Dispose()

Set 2 is now:

MySQLCon.Open()
Dim SQLID As String = "SELECT * FROM members WHERE member= @member"
COMMAND = New MySqlCommand(SQLID, MySQLCon)
COMMAND.Parameters.AddWithValue("@member", My.Settings.username)
COMMAND.ExecuteNonQuery()
READER = COMMAND.ExecuteReader()
While READER.Read
xboxGamertag.Value2 = READER.GetString("gamertag")
vagueRole.Value2 = READER.GetString("role")
vagueID.Value2 = READER.GetInt32("id")
End While
MySQLCon.Close()
MySQLCon.Dispose()

Set 3 is now:

Same as usual cause you said it should be fine.

这些正确吗?防止注入(inject)?

最佳答案

MySQLCon.Open()
Dim SQLADD As String = "INSERT INTO members(member,gamertag,role) VALUES(@memberToAdd, @memberGamingTag, @memberRole)"
COMMAND = New MySqlCommand(SQLADD, MySQLCon)
COMMAND.Parameters.AddWithValue("@memberToAdd", memberToAdd.Text)
COMMAND.Parameters.AddWithValue("@memberGamingTag", membersGamertag.Text)
COMMAND.Parameters.AddWithValue("@memberRole", membersRole.Text)
COMMAND.ExecuteNonQuery()
memberToAdd.Text = ""
membersGamertag.Text = ""
membersRole.Text = ""
MySQLCon.Close()
MySQLCon.Dispose()

您不需要使用 COMMAND.ExecuteReader,因为您没有检索数据。

你永远不应该像这样构建你的查询:

UPDATE members SET req= '" & request & "' WHERE member= '" & My.Settings.username & "'"

很容易SQL Injection ,你应该像我在上面的例子中那样参数化你的查询。这适用于任何查询,无论是 INSERTUPDATESELECT

关于mysql - 如何使用 vb.net 防止 MySQL 数据库注入(inject)攻击?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/30860971/

26 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com