Technology Sharing

C# method to verify whether the input statement contains SQL intrusion

2024-07-12

한어Русский языкEnglishFrançaisIndonesianSanskrit日本語DeutschPortuguêsΕλληνικάespañolItalianoSuomalainenLatina

In order to verify whether the data entered by the user contains SQL injection attack statements in C# WinForms, you can use a variety of methods to detect and prevent SQL injection. The following are some common methods:

1. Use parameterized queries

Parameterized queries are a best practice for preventing SQL injection by passing user input as parameters to SQL queries instead of embedding it directly into the SQL string. This ensures that user input cannot be interpreted as SQL code.

  1. using System.Data.SqlClient;
  2.  
  3. public void ExecuteQuery(string userInput)
  4. {
  5.     string connectionString = "数据库连接字符串";
  6.     string query = "SELECT * FROM Users WHERE Username = @Username";
  7.  
  8.     using (SqlConnection connection = new SqlConnection(connectionString))
  9.     using (SqlCommand command = new SqlCommand(query, connection))
  10.     {
  11.         command.Parameters.AddWithValue("@Username", userInput);
  12.  
  13.         connection.Open();
  14.         SqlDataReader reader = command.ExecuteReader();
  15.         while (reader.Read())
  16.         {
  17.             // Process the data
  18.         }
  19.     }
  20. }

2. Check for dangerous characters in user input

Common SQL injection characters and keywords, such as single quotes ('),Double quotes ("), semicolon (;), annotation symbol (--), as well as common SQL keywords such as SELECTINSERTDELETEUPDATEDROP etc).

  1. public bool IsSqlInjection(string input)
  2. {
  3.     string[] sqlCheckList = { "SELECT", "INSERT", "UPDATE", "DELETE", "DROP", "--", ";", "'" };
  4.     foreach (string item in sqlCheckList)
  5.     {
  6.         if (input.IndexOf(item, StringComparison.OrdinalIgnoreCase) >= 0)
  7.         {
  8.             return true;
  9.         }
  10.     }
  11.     return false;
  12. }
  13.  
  14.  
  15. string userInput = txtUserInput.Text;
  16. if (IsSqlInjection(userInput))
  17. {
  18.     MessageBox.Show("输入包含不安全的字符,请重新输入。");
  19. }
  20. else
  21. {
  22.     // 继续处理用户输入
  23.     ExecuteQuery(userInput);
  24. }

3. Use an ORM framework

Using an ORM (Object Relational Mapping) framework, such as Entity Framework, can greatly reduce the risk of SQL injection because the ORM framework automatically handles parameterized queries.

  1. using (var context = new YourDbContext())
  2. {
  3.     var user = context.Users.SingleOrDefault(u => u.Username == userInput);
  4.     if (user != null)
  5.     {
  6.         // Process the user data
  7.     }
  8. }

Personal profile

I have devoted myself to the research of technology for more than 30 years. I am proficient in various languages ​​such as Java, Linux, JavaScript, PHP, CSS, etc. I have made many contributions in the field of open source. I have established a developer documentation site to share some problems in technology development for everyone to read.

my contact information

Mail