我知道由于SQL注入,非参数化查询不受欢迎.好吧,我的应用程序中有很多查询容易受到SQL注入的影响.我似乎无法用头脑包裹我SqlDataReader.我能做到这一点的ExecuteNonQuery只是没有SQLDataReader.
有人可以给我一些指针和/或最佳方法的例子,查询正在执行并准确返回它应该是什么,我只是想让它尽可能安全....
码:
string myQuery = "Select [shoeSize] AS 'Shoe Size', [shoeBrand] AS 'Shoe Brand' FROM [myTable] "
+ "WHERE [customerName] = '" + customer + "' AND " + "[customerPin] = '" + customerID + "'";
sqlCmd = new SqlCommand(myQuery, conn);
sqlCmd.Connection.Open();
SqlDataReader rdr2 = sqlCmd.ExecuteReader();
if (rdr2.HasRows)
{
rdr2.Read();
shoeSize= rdr2["Shoe Size"].ToString();
shoeBrand= rdr2["Shoe Brand"].ToString();
}
conn.close();
你去吧
string myQuery = "Select [shoeSize] AS 'Shoe Size', [shoeBrand] AS 'Shoe Brand' FROM [myTable] "
+ "WHERE [customerName] = @customerName AND [customerPin] = @customerID"
sqlCmd = new SqlCommand(myQuery, conn);
sqlCmd.Connection.Open();
sqlCmd.Parameters.AddWithValue("@customerName", customerName);
sqlCmd.Parameters.AddWithValue("@customerID", customerID");
--rest stays the same as before
而@customerName和@customerID现在是你的参数.因此,即使客户的名字应该是"Bigler,Fabian'DROP TABLE [myTable]",它也行不通.它完全消除了"邪恶"输入改变查询含义的可能性.
非参数化查询不仅仅是"不受欢迎".对您,您的公司以及 - 当然 - 您的客户而言,这可能是灾难性的.
| 归档时间: |
|
| 查看次数: |
74 次 |
| 最近记录: |