What are good ways to prevent SQL injection? [duplicate]

内容导读

互联网集市收集整理的这篇技术教程文章主要介绍了What are good ways to prevent SQL injection? [duplicate]，小编现在分享给大家，供广大互联网技能从业者学习和参考。文章包含2523字，纯文字阅读大概需要4分钟。

内容图文

What are good ways to prevent SQL injection? [duplicate]

How can I add user-supplied input to an SQL statement?

Use parameterized SQL.

Examples

(These examples are in C#, see below for the VB.NET version.)

Replace your string concatenations with @... placeholders and, afterwards, add the values to your SqlCommand. You can choose the name of the placeholders freely, just make sure that they start with the @ sign. Your example would look like this:

var sql = "INSERT INTO myTable (myField1, myField2) " +
          "VALUES (@someValue, @someOtherValue);";

using (var cmd = new SqlCommand(sql, myDbConnection))
{
    cmd.Parameters.AddWithValue("@someValue", someVariable);
    cmd.Parameters.AddWithValue("@someOtherValue", someTextBox.Text);
    cmd.ExecuteNonQuery();
}

The same pattern is used for other kinds of SQL statements:

var sql = "UPDATE myTable SET myField1 = @newValue WHERE myField2 = @someValue;";

// see above, same as INSERT

or

var sql = "SELECT myField1, myField2 FROM myTable WHERE myField3 = @someValue;";

using (var cmd = new SqlCommand(sql, myDbConnection))
{
    cmd.Parameters.AddWithValue("@someValue", someVariable);
    using (var reader = cmd.ExecuteReader())
    {
        ...
    }
    // Alternatively: object result = cmd.ExecuteScalar();
    // if you are only interested in one value of one row.
}

A word of caution: AddWithValue is a good starting point and works fine in most cases. However, that the value you pass in needs to exactly match the data type of the corresponding database field. Otherwise, you might end up in a situation where the conversion prevents your query from using an index. Note that some SQL Server data types, such as char/varchar (without preceding "n") or date do not have a corresponding .NET data type. In those cases, Add with the correct data type should be used instead.

Why should I do that?

• It's more secure: It stops SQL injection. _{(Bobby Tables won't delete your student records.)}

• It's easier: No need to fiddle around with single and double quotes or to look up the correct string representation of date literals.

• It's more stable: O'Brien won't crash your application just because he insists on keeping his strange name.

Other database access libraries

• If you use an OleDbCommand instead of an SqlCommand (e.g., if you are using an MS Access database), use ? instead of @... as the placeholder in the SQL. In that case, the first parameter of AddWithValue is irrelevant; instead, you need to add the parameters in the correct order. The same is true for OdbcCommand.

• Entity Framework also supports parameterized queries.

 

 

 

 

 

内容总结

以上是互联网集市为您收集整理的What are good ways to prevent SQL injection? [duplicate]全部内容，希望文章能够帮你解决What are good ways to prevent SQL injection? [duplicate]所遇到的程序开发问题。 如果觉得互联网集市技术教程内容还不错，欢迎将互联网集市网站推荐给程序员好友。

内容备注

版权声明：本文内容由互联网用户自发贡献，该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务，不拥有所有权，不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容， 请发送邮件至 gblab@vip.qq.com 举报，一经查实，本站将立刻删除。

内容手机端

---