Академический Документы
Профессиональный Документы
Культура Документы
’Alina’ or 1=1--
string frazaSQL =
"select nume, telefon1, medie from doc2006 where nume = '“
+txtNume.Text+"'“
string frazaSQL =
"select cod, nume, telefon1, medie from doc2006 where cod = '“
+tbCod.Text+"'";
SQL Injection - solutions
Using parameters
OleDbParameter param1;
string strSql =
"select nume, telefon1, medie from doc2006 where nume = @numParam";
param1 = myCmd.Parameters.Add(
new OleDbParameter("@numParam", OleDbType.LongVarChar) );
param1.Direction = ParameterDirection.Input;
myCmd.Parameters["@numParam"].Value = txtNume.Text;
OleDbDataReader dr = myCmd.ExecuteReader();
while (dr.Read())
{
textBox1.Text+="\r\n"+dr["nume"]+ " " + dr["telefon1"]+
" + dr["medie"];
}
SQL Injection - solutions
Stored procedures
private void creareProc_Click(object sender, System.EventArgs e)
{
string strCreare = "CREATE PROCEDURE PREMIANTI AS "
+"SELECT nume, telefon1, medie FROM doc2006 WHERE medie>9.5 ";
OleDbConnection con = new OleDbConnection(
@"Provider=Microsoft.Jet.OLEDB.4.0;Data Source=C:\doctoranzi2006.mdb");
con.Open(); OleDbCommand myCmd =new OleDbCommand();
myCmd.CommandType = CommandType.Text; myCmd.Connection = con;
myCmd.CommandText="DROP PROCEDURE PREMIANTI";
OleDbDataReader dr;
try { dr = myCmd.ExecuteReader(); dr.Close();}
catch { MessageBox.Show("Procedura de sters nu exista!!");}
myCmd.CommandText = strCreare;
try { dr = myCmd.ExecuteReader();dr.Close();}
catch { MessageBox.Show("Procedura nu a fost creata!!");}
}
SQL Injection - solutions
Stored procedures
private void apelProc_Click(object sender, System.EventArgs e)
{
OleDbConnection con =
new OleDbConnection(
@"Provider=Microsoft.Jet.OLEDB.4.0;Data Source=C:\doctoranzi2006.mdb");
con.Open();