本文介绍了.NET 中的 SQL 注入预防的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
I typically write my SQL as so in .NET
sql.Append("SELECT id, code, email FROM mytable WHERE variable = @variable ");
Then do something like this:
using (SqlConnection conn = new SqlConnection(ConfigurationManager.ConnectionStrings[ConfigurationManager.AppSettings["defaultConnection"]].ConnectionString))
{
using (SqlCommand myCommand = new SqlCommand(sql.ToString(), conn))
{
myCommand.Parameters.AddWithValue("@variable", myVariableName");
...
But should I also do this addParameter when the data I got comes directly from the database like so?
likesql.Append(string.Format("SELECT group_id, like_text FROM likeTerms ORDER BY group_id ASC "));
DataTable dtLike = SqlHelper.GetDataTable(likesql.ToString());
foreach (DataRow dr in dtLike)
{
buildsql.Append(".... varId = " + dr["group_id"].ToString() + "...");
...
Is this acceptable? What is best practice?
解决方案
Youshouldalwaysuseparameters:
- Where are the values in your database coming from?
- Can you trust, in your example, that 'group_id' wasn't modified to be something you're not expecting?
Trustnoone
Can someone with limited database access inject directly into a field used elsewhere?
Performance
Also, it helps performance. Cached execution plans will disregard the value of the parameter, meaning you're saving the server from recompiling the query every time the parameters change.
这篇关于.NET 中的 SQL 注入预防的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持编程学习网!
本站部分内容来源互联网,如果有图片或者内容侵犯您的权益请联系我们删除!