问题
I am making an windows software in c#. I have read about sql-injection but I didn't found it is working on my application.
Do SQL Injection works in winforms?
If yes how to prevent them.
EDIT:
I am using a textboxes for reading user-name and password. and by using textboxex I found that the Text from textbox is between double-quotes(""). So I didn't found it to be worked.
And when, I use Quotes " OR ' in Textbox, the text is read as \" OR \'
Example:
...................
USER NAME: | a" OR "1"=="1 |
```````````````````
// it is read as textBox1.Text = "a\" OR \"1\"==\"1";
回答1:
SQL injection is general issue not depending on any technology. If you using .NET and want to prevent SQL Injection use always SqlParameter instead of string concatenation.
回答2:
Yes. Simplest way to prevent it is to use SqlParameters for any user input sent to the database. Or don't use the SqlDataAdapter and use the Entity Framework instead.
回答3:
SQL injection is caused by using users input directly within SQL statements constructed on the fly (called dynamic SQL) this enables users to break the SQL or "inject" their own SQL code.
Using Stored Procedures or SQL with parameters gets around this.
So yes this can occur within winforms if the SQL is coded that way.
来源:https://stackoverflow.com/questions/5495753/do-sql-injection-works-in-winforms