将 SqlConnection 对象作为单个可执行文件的属性是否存在风险?
我的设计习惯是让子窗体填充一个 SqlConnection 对象,显示子窗体,建立 SqlConnection 对象并将填充的对象传递回父窗体以继续执行。 .NET 2.0 及更高版本 0 如下:
父表单:
public SqlConnection sqlcon; //should be property but made it public for this example
public MainForm_Load(object sender, EventArgs e)
{
Login frm = new Login(this);
frm.ShowDialog();
if (this.sqlcon == null)
{ //no login
this.Close();
}
//else, continue execution
}
登录表单:
Mainform parent;
public Login(RandomParade frm)
{
InitializeComponent();
parent = frm;
}
private void btnOK_Click(object sender, EventArgs e)
{
//code to capture login details from textboxes
//test connection
parent.sqlcon = new SqlConnection("connection string with login details here");
this.Close();
}
由于它被编译为单个可执行文件(dll 访问修饰符单独处理等...),因此公开 sqlConnection 对象会带来安全风险吗?有人可以在运行时获取信息吗? 将登录信息传递到“主”表单的更好实现是什么?
I've got the design habit to have a SqlConnection object populated by a child form, showing the child form, establishing the SqlConnection object and having the populated object passed back to the parent form where execution continues. .NET 2.0 and up 0 as follows:
Parent form:
public SqlConnection sqlcon; //should be property but made it public for this example
public MainForm_Load(object sender, EventArgs e)
{
Login frm = new Login(this);
frm.ShowDialog();
if (this.sqlcon == null)
{ //no login
this.Close();
}
//else, continue execution
}
Login Form:
Mainform parent;
public Login(RandomParade frm)
{
InitializeComponent();
parent = frm;
}
private void btnOK_Click(object sender, EventArgs e)
{
//code to capture login details from textboxes
//test connection
parent.sqlcon = new SqlConnection("connection string with login details here");
this.Close();
}
As this is compiled into a single executable (dll access modifiers treated separate etc...), is having the sqlConnection object public a security risk? Could someone pick up the information at runtime?
What would be a better implementation of passing login information to a 'Main' form?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
由于 .NET 在内部维护一个连接池(除非关闭),您应该传递 连接字符串相反,并在创建新连接时使用它。
这允许您通过为您需要执行的所有操作(例如相对于批处理)创建新连接来保持连接信息“线程安全”。
连接在运行时不存在被劫持的风险,因为这应该全部很好地捆绑到应用程序域中。 (有很多方法,但那是另一个讨论)。
它可能看起来效率很低,但由于后台池,传递连接字符串效果很好。
因此,回答您的问题:实际上并没有安全风险,但存在线程安全风险,因此请传递连接字符串而不是连接。这会让你运行得更顺畅。
另外,请记住在使用完
SqlConnection和SqlCommand后将其丢弃;)Since .NET maintains a connection pool internally (unless switched off), you should be passing around a connection string instead, and use this when creating new connections.
This allows you to keep the connection information "thread safe" by creating a new connection for everything you need to do (relative to a batch, for example).
There isn't a risk for the connection to be hijacked at runtime, as this should be all bundled up nicely into an application domain. (There are ways, but that's another discussion).
It might seem very inefficient, but due to the background pooling, passing a connection string around works out great.
So, to answer your question: there's not really a security risk, but there is a risk for thread safety, so pass around a connection string instead of a connection. This will run smoother for you.
Also, remember to dispose of your
SqlConnections andSqlCommands when you're done with them ;)