我在启动页面上使用带有以下vba代码的MS Access表单,在该表单中,用户输入用户名和密码,如果可以,则将其转发到包含相关内容的仪表板页面。我正在检查代码是否经过SQL注入证明,令我感到恐惧的是,它可以继续登录而没有任何问题!任何人都可以帮助我加强代码以防止sql注入攻击吗?
If (Me.UserNameTextBox <> "" And Me.passwordtextbox <> "") Then
hook = """"
SQLCheckUser = ""
SQLCheckUser = SQLCheckUser & " SELECT Id, UserName, UserCode FROM UserTable"
SQLCheckUser = SQLCheckUser & " WHERE UserName = " & hook & me.UserNameTextBox.value & hook
SQLCheckUser = SQLCheckUser & " AND UserPassword = " & hook & me.passwordtextbox.value & hook
SQLCheckUser = SQLCheckUser & " AND IsInactive=0"
'Create RecordSet
Set rst = CurrentDb.OpenRecordset(SQLCheckUser)
'Go to first record
rst.MoveLast
rst.MoveFirst
If rst.RecordCount <> 1 Then
MsgBox "Error 2: Please recheck your login details" 'Error 2 Cant find the user or too many users
rst.Close
Else
'Good LogIn, load the values of the record into rst
ID = rst.Fields("Id")
UserName = rst.Fields("UserName")
UserCode = rst.Fields("UserCode")
IsLoggedIn = True
rst.Close
DoCmd.Close
DoCmd.OpenForm ("Dashboard")
End If
Else
MsgBox "Please recheck your login details" ‘ Either UserName or Password has not been entered
End If
参数化查询用于防止SQL注入漏洞。在你的情况下,您将使用类似
Dim qdf As DAO.QueryDef
Set qdf = CurrentDb.CreateQueryDef("", _
"PARAMETERS prmUserName TEXT(255), prmUserPassword TEXT(255);" & _
"SELECT Id, UserName, UserCode FROM UserTable" & _
" WHERE UserName = [prmUserName] AND UserPassword = [prmUserPassword] AND IsInactive=0")
qdf!prmUserName = Me.UserNameTextBox.Value
qdf!prmUserPassword = Me.passwordtextbox.Value
Set rst = qdf.OpenRecordset
本文收集自互联网,转载请注明来源。
如有侵权,请联系[email protected] 删除。
我来说两句