MTA*_*MTA 1 .net c# sql sql-server
我使用以下代码从SQL Server表中进行选择:
using (SqlConnection con = new SqlConnection(SqlConnectionString))
{
string sql = @"SELECT * FROM movies WHERE title like '%' + '" + searchQuery + "' + '%'";
using (var command = new SqlCommand(sql, con))
{
con.Open();
using (var reader = command.ExecuteReader())
{
while (reader.Read())
{
....
}
}
}
}
并且它工作得很好,但我想阻止SQL注入,所以我尝试使用:
using (SqlConnection con = new SqlConnection(SqlConnectionString))
{
string sql = @"SELECT * FROM movies WHERE title like '%' '@Search' + '%'";
using (var command = new SqlCommand(sql, con))
{
command.Parameters.AddWithValue("@Search", searchQuery);
con.Open();
using (var reader = command.ExecuteReader())
{
while (reader.Read())
{
..........
}
}
}
}
当我尝试执行此操作时,我得不到SQL Server的结果.
知道为什么吗?
"为什么?" 因为很少有电影在他们的名字中加上"@Search"这个词 - 即"印第安纳琼斯和最后的@Search".也许是"星际迷航III:@Search for Spock".通过将其括在单引号中,您将查找文字字符串@Search,而不是所调用参数@Search的值.
string sql = @"SELECT * FROM movies WHERE title like '%' + @Search + '%'";
或者(最好是IMO):
string sql = @"SELECT * FROM movies WHERE title like @Search";
并%在呼叫站点添加:
command.Parameters.AddWithValue("Search", "%" + searchQuery + "%");