发生sql注入攻击后的解决方法:
示例
//原SQL代码
select Orders.CustomerID,Orders.OrderID,Count(UnitPrice) as Items,SUM(UnitPrice*Quantity) as Total from Orders INNER JOIN [Order Details]on Orders.OrderID=[Order Details].OrderID
where Orders.CustomerID='"+txtId.Text+"' GROUP BY Orders.OrderID,Orders.CustomerID
需要使用参数化命令重写前面的代码来解决sql注入攻击
protected void btnQuery_Click(object sender, EventArgs e)
{
string conStr = WebConfigurationManager.ConnectionStrings["Northwind"].ConnectionString;
SqlConnection con = new SqlConnection(conStr);
con.Open();
string strSql = "select Orders.CustomerID,Orders.OrderID,Count(UnitPrice) as Items,SUM(UnitPrice*Quantity) as Total from Orders INNER JOIN [Order Details]on Orders.OrderID=[Order Details].OrderID where Orders.CustomerID=@CustomerID GROUP BY Orders.OrderID,Orders.CustomerID";
SqlCommand cmd = new SqlCommand(strSql, con);
cmd.Parameters.AddWithValue("@CustomerID", txtId.Text.Trim().ToString());
SqlDataReader reader = cmd.ExecuteReader();
GridView1.DataSource = reader;
GridView1.DataBind();
reader.Close();
con.Close();
}