黑馬程式設計師_Dispose()與Close()的區別和Using的用法
阿新 • • 發佈:2019-01-04
SqlCommand.ExecuteScalar()判斷使用者登入的另一種方法:
Dispose():直接銷燬,不可再次利用;
Close():關閉連線(關閉後可再次利用)
Using在除了作用域以後呼叫dispose,SqlConnection、FileStream的內部都會作這樣的判斷:判斷有沒有close,若沒有就先 close再dispose。
下述程式碼將很容易被注入攻擊(如何防注入呢?):
string dataDir = AppDomain.CurrentDomain.BaseDirectory; if(dataDir.EndsWith(@"\bin\Debug\")||dataDir .EndsWith (@"\bin\Release")) { dataDir = System.IO.Directory.GetParent(dataDir).Parent.Parent.FullName; AppDomain.CurrentDomain.SetData("DataDirectory",dataDir ); } Console.WriteLine ("請輸入使用者名稱:"); string UserName = Console.ReadLine(); Console.WriteLine("請輸入密碼:"); string password = Console.ReadLine(); using (SqlConnection conn = new SqlConnection(@"Data Source =.\SQLEXPRESS;AttachDBFilename = |DataDirectory|\Database1.mdf;Integrated Security= true ;User Instance=true")) //該處用 using()的目的是釋放記憶體,以下也一樣 { conn.Open(); using (SqlCommand com = conn.CreateCommand()) { com.CommandText = "select count(*) from Table4 where Admin = '"+UserName+"'and PassWord= '"+password +"'"; int i = Convert.ToInt32(com.ExecuteScalar()); if(i>0) { Console.WriteLine ("登陸成功"); } else { Console.WriteLine ("使用者名稱或密碼錯誤"); } } } Console.ReadKey ();
引數化查詢(不會被注入攻擊):
string dataDir = AppDomain.CurrentDomain.BaseDirectory; if(dataDir.EndsWith(@"\bin\Debug\")||dataDir .EndsWith (@"\bin\Release")) { dataDir = System.IO.Directory.GetParent(dataDir).Parent.Parent.FullName; AppDomain.CurrentDomain.SetData("DataDirectory",dataDir ); } Console.WriteLine ("請輸入使用者名稱:"); string UserName = Console.ReadLine(); Console.WriteLine("請輸入密碼:"); string password = Console.ReadLine(); using (SqlConnection conn = new SqlConnection(@"Data Source =.\SQLEXPRESS;AttachDBFilename = |DataDirectory|\Database1.mdf;Integrated Security= true ;User Instance=true")) //該處用 using()的目的是釋放記憶體,以下也一樣 { conn.Open(); using (SqlCommand com = conn.CreateCommand()) { com.CommandText = "select count(*) from Table4 where Admin= @username and PassWord = @PassWord"; //注意該處的@username 和@PassWord不要和使用者輸入的變數同名,否則將發生未知錯誤 com.Parameters.Add(new SqlParameter ("username",UserName )); com.Parameters.Add(new SqlParameter ("PassWord",password)); int i = Convert.ToInt32(com.ExecuteScalar()); if (i > 0) { Console.WriteLine("登陸成功"); } else { Console.WriteLine("使用者名稱或密碼錯誤"); } } } Console.ReadKey ();