发生sql注入攻击后如何解决 sql注入攻击怎么解决

文章摘要：发生sql注入攻击后如何解决 sql注入攻击怎么解决

发生sql注入攻击后的解决方法： 示例 //原SQL代码 select Orders.CustomerID,O […]

发生sql注入攻击后的解决方法：

示例

//原SQL代码

select Orders.CustomerID,Orders.OrderID,Count(UnitPrice) as Items,SUM(UnitPrice*Quantity) as Total from Orders INNER JOIN [Order Details]on Orders.OrderID=[Order Details].OrderID

where Orders.CustomerID='"+txtId.Text+"' GROUP BY Orders.OrderID,Orders.CustomerID

需要使用参数化命令重写前面的代码来解决sql注入攻击

protected void btnQuery_Click(object sender, EventArgs e)

{

string conStr = WebConfigurationManager.ConnectionStrings["Northwind"].ConnectionString;

SqlConnection con = new SqlConnection(conStr);

con.Open();

string strSql = "select Orders.CustomerID,Orders.OrderID,Count(UnitPrice) as Items,SUM(UnitPrice*Quantity) as Total from Orders INNER JOIN [Order Details]on Orders.OrderID=[Order Details].OrderID where Orders.CustomerID=@CustomerID GROUP BY Orders.OrderID,Orders.CustomerID";

SqlCommand cmd = new SqlCommand(strSql, con);

cmd.Parameters.AddWithValue("@CustomerID", txtId.Text.Trim().ToString());

SqlDataReader reader = cmd.ExecuteReader();

GridView1.DataSource = reader;

GridView1.DataBind();

reader.Close();

con.Close();

}