首页 > 代码库 > 2017-4-21 字符串攻击 防御 实体类 数据访问类 属性扩展 三层架构开发

2017-4-21 字符串攻击 防御 实体类 数据访问类 属性扩展 三层架构开发

(一)防止sql数据库字符串注入攻击:

1.字符串注入攻击实在填写内容是,插入的sql语句,对数据库进行的操作

  技术分享

数据库的攻击就是插入新的sql语句,并对后面的语句进行注销:‘);update Students set Sname=‘‘;--

2.防止字符串注入攻击:

  cmd.CommandText = "update Student set Sname = @a",   ----  用占位符进行占位,这样在攻击的时候就会吧攻击的内容当成sql语句内容直接插入到数据库

  cmd.Parametrs.Clear();

  cmd.Paramerts.AddWithValue("@a",xx);

(二)实体类:就是封装

  实体类的名称和数据库表的名称一致,

  成员变量与列名一致,在最前面多一个下划线,

  成员变量封装出来的属性与列名保持一致

(三)数据访问类

1.就是对数据库表进行操作,单独写成一个类,封装成一些方法,等待调用

  命名规则:数据库表名+Data

  好处:结构清晰,避免代码重复书写

  例:

  

技术分享
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Data.SqlClient;

namespace 完整的增删改查.App_code
{
    public class UsersData
    {
        SqlConnection conn = null;
        SqlCommand cmd = null;
        public UsersData() 
        {
            conn = new SqlConnection("server=localhost;database=stu0314;user=sa;pwd=13;");
            cmd = conn.CreateCommand();
        }
        /// <summary>
        /// 查询数据的方法
        /// </summary>
        /// <returns></returns>
        public List<Users> selectAll() 
        {
            List<Users> ulist = new List<Users>();
            cmd.CommandText = "select * from Users";
            try
            {
                conn.Open();
                SqlDataReader dr = cmd.ExecuteReader();
                if (dr.HasRows)
                {
                    while (dr.Read())
                    {
                        Users u = new Users();
                        u.Ids = Convert.ToInt32(dr["ids"]);
                        u.UserName = dr["UserName"].ToString();
                        u.PassWord = dr["PassWord"].ToString();
                        u.NikeName = dr["NikeName"].ToString();
                        u.Sex = Convert.ToBoolean(dr["Sex"]);
                        u.Birthday = Convert.ToDateTime(dr["Birthday"]);
                        u.Nation = dr["Nation"].ToString();
                        u.Class = dr["Class"].ToString();
                        ulist.Add(u);

                    }
                }
            }
            catch { Console.WriteLine("服务器连接失败");  }
            conn.Close();
            return ulist;
        }
        /// <summary>
        /// 查询数据库中是否有相同的用户名
        /// </summary>
        /// <param name="uname"></param>
        /// <returns></returns>
        public bool selectUname(string uname) 
        {
            bool has = false;
            cmd.CommandText = "select * from Users where UserName=@a";
            cmd.Parameters.Clear();
            cmd.Parameters.AddWithValue("@a",uname);

            conn.Open();
            SqlDataReader dr = cmd.ExecuteReader();
            if (dr.HasRows)
                has = true;
            conn.Close();
            return has;
        }
        /// <summary>
        /// 向数据库中插入数据
        /// </summary>
        /// <param name="u">插入的用户信息</param>
        /// <param name="uname">用户的姓名</param>
        /// <returns></returns>
        public bool insert(Users u,string uname) 
        {
            bool has = false;
            cmd.CommandText = "insert into Users values(@a,@b,@c,@d,@e,@f,@g)";
            cmd.Parameters.Clear();
            cmd.Parameters.AddWithValue("@a",uname);
            cmd.Parameters.AddWithValue("@b",u.PassWord);
            cmd.Parameters.AddWithValue("@c", u.NikeName);
            cmd.Parameters.AddWithValue("@d", u.Sex);
            cmd.Parameters.AddWithValue("@e", u.Birthday);
            cmd.Parameters.AddWithValue("@f", u.Nation);
            cmd.Parameters.AddWithValue("@g", u.Class);

            conn.Open();
            int count = cmd.ExecuteNonQuery();
            if (count > 0)
                has = true;
            conn.Close();
            return has;
        }
        /// <summary>
        /// 修改数据库中的信息
        /// </summary>
        /// <param name="u">需要传入要修改的用户信息</param>
        /// <param name="uname">传入要修改的用户名</param>
        /// <returns></returns>
        public bool update(Users u,string uname) 
        {
            bool has = false;
            cmd.CommandText = "update Users set PassWord=@a,NikeName=@b,Sex=@c,Birthday=@d,Nation=@e,Class=@f where UserName=@g";
            cmd.Parameters.Clear();
            cmd.Parameters.AddWithValue("@a",u.PassWord);
            cmd.Parameters.AddWithValue("@b", u.NikeName);
            cmd.Parameters.AddWithValue("@c", u.Sex);
            cmd.Parameters.AddWithValue("@d", u.Birthday);
            cmd.Parameters.AddWithValue("@e", u.Nation);
            cmd.Parameters.AddWithValue("@f", u.Class);
            cmd.Parameters.AddWithValue("@g", uname);


            conn.Open();
            int count = cmd.ExecuteNonQuery();
            if (count > 0)
                has = true;
            conn.Close();


            return has;
        }

        public bool delete(string uname) 
        {
            bool has = false;
            cmd.CommandText = "delete from Users where UserName=@a";
            cmd.Parameters.Clear();
            cmd.Parameters.AddWithValue("@a",uname);
            conn.Open();
            int count = cmd.ExecuteNonQuery();
            if (count > 0)
                has = true;
            conn.Close();

            return has;
        }
    }
}
View Code

 

(四)三层架构开发

  界面层  ----   UI层

  业务逻辑层  ----  c#代码部分

  数据访问层   ----  实体类与数据访问类(对数据的操作) 

(五)属性扩展

 封装的时候,成员变量不只有一个属性,,根据需求,可以书写多个

  例:

  

技术分享
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;

namespace 完整的增删改查.App_code
{
    public class Users
    {
        private int _Ids;
        /// <summary>
        /// 用户id
        /// </summary>
        public int Ids
        {
            get { return _Ids; }
            set { _Ids = value; }
        }
        private string _UserName;
        /// <summary>
        /// 用户的姓名
        /// </summary>
        public string UserName
        {
            get { return _UserName; }
            set { _UserName = value; }
        }
        private string _PassWord;
        /// <summary>
        /// 用户的密码
        /// </summary>
        public string PassWord
        {
            get { return _PassWord; }
            set { _PassWord = value; }
        }
        private string _NikeName;
        /// <summary>
        /// 用户的别称
        /// </summary>
        public string NikeName
        {
            get { return _NikeName; }
            set { _NikeName = value; }
        }
        private bool _Sex;
        /// <summary>
        /// 用户的性别
        /// </summary>
        public bool Sex
        {
            get { return _Sex; }
            set { _Sex = value; }
        }
        /// <summary>
        /// 性别只读属性,返回男或女
        /// </summary>
        public string SexStr 
        {
            get { return _Sex?"":"";}
        }
        private DateTime _Birthday;
        /// <summary>
        /// 用户的生日
        /// </summary>
        public DateTime Birthday
        {
            get { return _Birthday; }
            set { _Birthday = value; }
        }
        public string BirthdayStr 
        {
            get 
            {
                return _Birthday.ToString("yyyy年MM月");
            }
        }
        private string _Nation;
        /// <summary>
        /// 用户的民族
        /// </summary>
        public string Nation
        {
            get { return _Nation; }
            set { _Nation = value; }
        }
        /// <summary>
        /// 民族只读,显示汉字
        /// </summary>
        public string NationName 
        {
            get 
            {
                return new NationData().selectNationName(_Nation);//调用方法,把编号对应的民族输出
            }
        }
        private string _Class;
        /// <summary>
        /// 用户的班级
        /// </summary>
        public string Class
        {
            get { return _Class; }
            set { _Class = value; }
        }
        /// <summary>
        /// 班级只读属性,显示汉字
        /// </summary>
        public string ClassName 
        {
            get { return new ClassData().ClassName(_Class); }//调用方法,把编号对应的班级输出
        }


    }
}
View Code

 

2017-4-21 字符串攻击 防御 实体类 数据访问类 属性扩展 三层架构开发