问题
I have a quick question about the ASP.NET Login control.
I understand that it protects from SQL Injection, but I was wondering if it also protects when I use the "Authenticate" Sub (for a custom authenticate method)?
Can I go ahead and use 'username' and 'password' in an SQL statement without coding them as parameters? Cheers.
回答1:
SELECT * FROM aspnet_Membership AS A INNER JOIN aspnet_Users AS B ON A.UserId = B.UserId WHERE B.UserName = '" & Login1.UserName & "' AND A.Password = '" & Login1.Password & "';"
Above SQL Statement is not safe. It is prone to SQL Injection attack. You want to use parameterized query.
For example,
SELECT *
FROM aspnet_Membership AS A INNER JOIN aspnet_Users AS B
ON A.UserId = B.UserId
WHERE B.UserName = @UserName AND A.Password = @Password
来源:https://stackoverflow.com/questions/36427520/asp-net-login-control-protect-from-sqli-with-authenticate-event