Http://community.9cbs.net/expert/topic/3803/3803170.xml?temp=.6236078
Everyone has 5 misunderstandings: 1, SQL injection is more difficult to prevent There is no use for digital replacement, and must be converted. 2, ignoring the thing that DropDownloadList is actually wrong, all the client's things are untrustful, SELECT drop-down box is also! Because you can make an HTM submit to the server. 3, Access is how to use it, if SQL Server is used like Access, a SA account, it is obvious, SQLServer is not safe than Access, you can get the table name and field name directly! Access is inverted, because it can only be guented by chart. 4, the website does not show the error message, explain the website is safe. When there is a record, the record is displayed. When there is no record, you can find any records. You can guess the word name by these two states, so the web page is not wrong. The information is safe 5. Ignore the information submitted by POST. Many people are strictly filtered on the things transmitted on the URL. For POST's things ignore it, POST's things are more easily injected, because the general field is more in ASP. NET strongly recommended that SQL is achieved by parameters instead of SQL splicing, because even if you filter 100 ministry, it is like:
SqlConnection conn = new SqlConnection (System.Configuration.ConfigurationSettings.AppSettings [ "conn"]); SqlCommand comm = new SqlCommand ( "update tb1 set vName = @ vName, iAge = @ iAge where ID = @ id", conn); SqlParameter PARM1 = New SQLParameter ("@ vname", sqldbtype.nvarchar, 50); parm1.value = ((textbox) E.Item.FindControl ("name")). Text; sqlparameter parm2 = new sqlparameter ("@ iAge", Sqldbtype.int); PARM2.Value = ((TextBox) E.Item.FindControl ("age")))). Text; sqlparameter parm3 = new sqlparameter ("@ id", sqldbtype.int); PARM3.Value = this.DataGrid1 .DATAKEYS [E.Item.itemindex]; Comm.Parameters.Add (PARM1); Comm.Parameters.Add (PARM2); Comm.Parameters.Add (PARM3); conn.ExecutenonQuery (); conn .Close ();
Such a code looks comfortable and safe, why not?
