データベースから人物を追加および検索できるプログラムを実行しています。すべての機能は現在機能していますが、SQL インジェクションを防止したいと考えています。何か案は?助けてくれてありがとう!
これが検索機能です。
public static void SearchAll() //Söka fram alla deltagare och visa det i rutan på skärmen.
{
Form1.result = "";
connectionString = @"Data Source=(LocalDB)\MSSQLLocalDB;AttachDbFilename=C:\Users\Carlo\Desktop\Projekt\Examensarbete 2018\AdminPanel\AdminPanel\employees.mdf;Integrated Security=True";
sql = "SELECT * FROM [employee]";
cnn = new SqlConnection(connectionString);
cnn.Open();
cmd = new SqlCommand(sql, cnn);
reader = cmd.ExecuteReader();
while (reader.Read())
{
Form1.result += "Email: " + reader.GetValue(1) + Environment.NewLine;
Form1.result += "First name: " + reader.GetValue(2) + Environment.NewLine;
Form1.result += "Last name: " + reader.GetValue(3) + Environment.NewLine;
Form1.result += "Address: " + reader.GetValue(4) + Environment.NewLine;
Form1.result += "Phonenumber: " + reader.GetValue(5) + Environment.NewLine;
Form1.result += "Jobtitle: " + reader.GetValue(7) + Environment.NewLine;
Form1.result += "Salary: " + reader.GetValue(6) + Environment.NewLine + Environment.NewLine;
}
}
これは追加機能です:
public static void Add(string AddEmail, string AddFistName, string AddLastName, string AddAddress, string AddPhonenumber, string AddJobTitle, string AddSalary, string checkboxChecker) //Lägg til en deltagare funktionen.
{
connectionString = @"Data Source=(LocalDB)\MSSQLLocalDB;AttachDbFilename=C:\Users\Carlo\Desktop\Projekt\Examensarbete 2018\AdminPanel\AdminPanel\employees.mdf;Integrated Security=True";
using(var conn = new SqlConnection(connectionString))
{
var cmd = new SqlCommand("insert into Employee (Email, FirstName, LastName, Address, Phonenumber, Salary, JobTitle, GDPR,StartDate) VALUES ('" + AddEmail + "','" + AddFistName + "','" + AddLastName + "','" + AddAddress + "','" + AddPhonenumber + "', '" + AddJobTitle + "', '" + AddSalary + "', '" + checkboxChecker + "', GETDATE())", conn);
conn.Open();
cmd.ExecuteNonQuery();
}
}
これをしようとすると System.NullReferenceException が発生します。私はそれを修正しようとしましたが、問題が「電子メール」にあると言われている問題を見つけることができません。
public static void LoginChecker(string email, string Password) //Funktionen som kollar ifall man får logga in eller inte.
{
Form1.result = "";
failedCounter = 3;
connectionString = @"Data Source=(LocalDB)\MSSQLLocalDB;AttachDbFilename=C:\Users\Carlo\Desktop\Projekt\Examensarbete 2018\AdminPanel\AdminPanel\employees.mdf;Integrated Security=True";
sql = "SELECT * FROM Login WHERE UserName = @email AND Password = @password ";
cmd.Parameters.AddWithValue("@email", email);
cmd.Parameters.AddWithValue("@password", Password); //the problem says to be here!!!!!!
cnn = new SqlConnection(connectionString);
cnn.Open();
cmd = new SqlCommand(sql, cnn);
reader = cmd.ExecuteReader();
if (reader.Read() == true) //Om det finns ett inlogg med rätt email och lösenord så kommer man in.
{
Form1.Log = "Successful";
}
else //Om det inte finns ett inlogg med det som skrivits in så kommer man inte in.
{
Form1.Log = "Failed";
}
}