学步园

asp.ne bbst源码分析

---

1.登陆页面

---

1.登陆页面

登陆页面中需要注意的大致上就是两条：如何实现验证码？如何防止sql注入。

1.如何实现验证码？

验证码简单的实现可以通过在服务器端生成一个图片完成。前台的话添加一个img html控件，onclick事件中重新加载checkcode页面。后台中使用dotnet类库中自带的drawing来实现生成一个图片。代码即文档，代码如下：

<img id="Img1" alt="看不清，请点击我！" onclick="this.src=this.src+'?'" src="../ProjectBBS/CheckCode.aspx" mce_src="ProjectBBS/CheckCode.aspx"<br /> style="width: 73px; height: 22px" align="left" /></td> 

public partial class _Default : System.Web.UI.Page<br /> {<br /> protected void Page_Load(object sender, EventArgs e)<br /> {<br /> CreateCheckCodeImage(GenerateCheckCode());<br /> }</p> <p> private string GenerateCheckCode()<br /> {<br /> int number;<br /> char code;<br /> string checkCode = String.Empty;</p> <p> Random random = new Random();</p> <p> for (int i = 0; i < 4; i++)<br /> {<br /> number = random.Next();</p> <p> code = (char)('0' + (char)(number % 10));</p> <p> checkCode += code.ToString();<br /> }</p> <p> Response.Cookies.Add(new HttpCookie("CheckCode", checkCode));</p> <p> return checkCode;<br /> }</p> <p> private void CreateCheckCodeImage(string checkCode)<br /> {<br /> if (checkCode == null || checkCode.Trim() == String.Empty)<br /> return;</p> <p> System.Drawing.Bitmap image = new System.Drawing.Bitmap((int)Math.Ceiling((checkCode.Length * 12.5)), 22);<br /> Graphics g = Graphics.FromImage(image);</p> <p> try<br /> {<br /> //生成随机生成器<br /> Random random = new Random();</p> <p> //清空图片背景色<br /> g.Clear(Color.White);</p> <p> //画图片的背景噪音线<br /> for (int i = 0; i < 2; i++)<br /> {<br /> int x1 = random.Next(image.Width);<br /> int x2 = random.Next(image.Width);<br /> int y1 = random.Next(image.Height);<br /> int y2 = random.Next(image.Height);</p> <p> g.DrawLine(new Pen(Color.Black), x1, y1, x2, y2);<br /> }</p> <p> Font font = new System.Drawing.Font("Arial", 12, (System.Drawing.FontStyle.Bold));<br /> System.Drawing.Drawing2D.LinearGradientBrush brush = new System.Drawing.Drawing2D.LinearGradientBrush(new Rectangle(0, 0, image.Width, image.Height), Color.Blue, Color.DarkRed, 1.2f, true);<br /> g.DrawString(checkCode, font, brush, 2, 2);</p> <p> //画图片的前景噪音点<br /> for (int i = 0; i < 100; i++)<br /> {<br /> int x = random.Next(image.Width);<br /> int y = random.Next(image.Height);</p> <p> image.SetPixel(x, y, Color.FromArgb(random.Next()));<br /> }</p> <p> //画图片的边框线<br /> g.DrawRectangle(new Pen(Color.Silver), 0, 0, image.Width - 1, image.Height - 1);</p> <p> System.IO.MemoryStream ms = new System.IO.MemoryStream();<br /> image.Save(ms, System.Drawing.Imaging.ImageFormat.Gif);<br /> Response.ClearContent();<br /> Response.ContentType = "image/Gif";<br /> Response.BinaryWrite(ms.ToArray());<br /> }<br /> finally<br /> {<br /> g.Dispose();<br /> image.Dispose();<br /> }<br /> }<br /> }<br />   

---

2.登陆验证如何去避免sql注入？

微软的官方网站中有一篇文章详细介绍防止sql注入：http://msdn.microsoft.com/en-us/library/ff648339.aspx。其中主要内容如下：

2.1输入验证，永远不要相信用户输入

using System;<br /> using System.Text.RegularExpressions;</p> <p>public void CreateNewUserAccount(string name, string password)<br /> {<br /> // Check name contains only lower case or upper case letters,<br /> // the apostrophe, a dot, or white space. Also check it is<br /> // between 1 and 40 characters long<br /> if ( !Regex.IsMatch(userIDTxt.Text, @"^[a-zA-Z'./s]{1,40}$"))<br /> throw new FormatException("Invalid name format");</p> <p> // Check password contains at least one digit, one lower case<br /> // letter, one uppercase letter, and is between 8 and 10<br /> // characters long<br /> if ( !Regex.IsMatch(passwordTxt.Text,<br /> @"^(?=.*\d)(?=.*[a-z])(?=.*[A-Z]).{8,10}$" ))<br /> throw new FormatException("Invalid password format");</p> <p> // Perform data access logic (using type safe parameters)<br /> ...<br /> }

2.2 使用存储过称

 using System.Data;<br /> using System.Data.SqlClient;</p> <p>using (SqlConnection connection = new SqlConnection(connectionString))<br /> {<br /> DataSet userDataset = new DataSet();<br /> SqlDataAdapter myCommand = new SqlDataAdapter(<br /> "LoginStoredProcedure", connection);<br /> myCommand.SelectCommand.CommandType = CommandType.StoredProcedure;<br /> myCommand.SelectCommand.Parameters.Add("@au_id", SqlDbType.VarChar, 11);<br /> myCommand.SelectCommand.Parameters["@au_id"].Value = SSN.Text;</p> <p> myCommand.Fill(userDataset);<br /> }<br />

在执行过程中，@au_id中传递的值是当做纯文本的，不会产生sql注入问题。但是这种情况下需要注意的原有的存储过程是如何编写的。如果是下面的存储过程的话，还是起不到防止注入的功能。

CREATE PROCEDURE dbo.RunQuery<br /> @var ntext<br /> AS<br /> exec sp_executesql @var<br /> GO

2.3 使用参数化的动态sql（字符串拼接的形式）

using System.Data;<br /> using System.Data.SqlClient;</p> <p>using (SqlConnection connection = new SqlConnection(connectionString))<br /> {<br /> DataSet userDataset = new DataSet();<br /> SqlDataAdapter myDataAdapter = new SqlDataAdapter(<br /> "SELECT au_lname, au_fname FROM Authors WHERE au_id = @au_id",<br /> connection);<br /> myCommand.SelectCommand.Parameters.Add("@au_id", SqlDbType.VarChar, 11);<br /> myCommand.SelectCommand.Parameters["@au_id"].Value = SSN.Text;<br /> myDataAdapter.Fill(userDataset);<br /> }

2.4 数据库权限

如果是查询数据库的话，将权限设置的低一点