SQL Injection Prevention in .NET(.NET 中的 SQL 注入预防)
本文介绍了.NET 中的 SQL 注入预防的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
I typically write my SQL as so in .NET
sql.Append("SELECT id, code, email FROM mytable WHERE variable = @variable ");
Then do something like this:
using (SqlConnection conn = new SqlConnection(ConfigurationManager.ConnectionStrings[ConfigurationManager.AppSettings["defaultConnection"]].ConnectionString))
{
using (SqlCommand myCommand = new SqlCommand(sql.ToString(), conn))
{
myCommand.Parameters.AddWithValue("@variable", myVariableName");
...
But should I also do this addParameter when the data I got comes directly from the database like so?
likesql.Append(string.Format("SELECT group_id, like_text FROM likeTerms ORDER BY group_id ASC "));
DataTable dtLike = SqlHelper.GetDataTable(likesql.ToString());
foreach (DataRow dr in dtLike)
{
buildsql.Append(".... varId = " + dr["group_id"].ToString() + "...");
...
Is this acceptable? What is best practice?
解决方案
You should always use parameters:
- Where are the values in your database coming from?
- Can you trust, in your example, that 'group_id' wasn't modified to be something you're not expecting?
Trust noone
Can someone with limited database access inject directly into a field used elsewhere?
Performance
Also, it helps performance. Cached execution plans will disregard the value of the parameter, meaning you're saving the server from recompiling the query every time the parameters change.
这篇关于.NET 中的 SQL 注入预防的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持编程学习网!
沃梦达教程
本文标题为:.NET 中的 SQL 注入预防
基础教程推荐
猜你喜欢
- 如何动态获取文本框中datagridview列的总和 2022-01-01
- 全局 ASAX - 获取服务器名称 2022-01-01
- 在 VS2010 中的 Post Build 事件中将 bin 文件复制到物 2022-01-01
- 将事件 TextChanged 分配给表单中的所有文本框 2022-01-01
- 经典 Asp 中的 ResolveUrl/Url.Content 等效项 2022-01-01
- 错误“此流不支持搜索操作"在 C# 中 2022-01-01
- 首先创建代码,多对多,关联表中的附加字段 2022-01-01
- 从 VS 2017 .NET Core 项目的发布目录中排除文件 2022-01-01
- 是否可以在 asp classic 和 asp.net 之间共享会话状态 2022-01-01
- JSON.NET 中基于属性的类型解析 2022-01-01
