如何防止SQL注入转义字符串

Question

我有一些问题(到一个acccess数据库)像这样:

string comando = "SELECT * FROM ANAGRAFICA WHERE E_MAIL='" + user + "' AND PASSWORD_AZIENDA='" + password + "'";

我想"逃避"用户和密码,防止注射.

我怎么能用C#和.NET 3.5做到这一点？我在PHP上搜索像mysql_escape_string这样的东西......

Answer 1

您需要使用参数.好吧不必,但会更好.

SqlParameter[] myparm = new SqlParameter[2];
myparm[0] = new SqlParameter("@User",user);
myparm[1] = new SqlParameter("@Pass",password);

string comando = "SELECT * FROM ANAGRAFICA WHERE E_MAIL=@User AND PASSWORD_AZIENDA=@Pass";

Answer 2

不要逃避字符串开始 - 使用参数化查询.这远远超过逃避的好处:

• 代码更容易阅读
• 您不必依赖于正确的转义
• 可能会有性能改进(特定于DB等)
• 它将"代码"(SQL)与数据分开,这在逻辑上是很好的意义
• 这意味着您无需担心数字和日期/时间等数据格式.

文档SqlCommand.Parameters给出了一个很好的,完整的例子.

Answer 3

您应该使用SQL参数来防止SQL注入查看代码

//
// The name we are trying to match.
//
string dogName = "Fido";
//
// Use preset string for connection and open it.
//
string connectionString = ConsoleApplication716.Properties.Settings.Default.ConnectionString;
using (SqlConnection connection = new SqlConnection(connectionString))
{
    connection.Open();
    //
    // Description of SQL command:
    // 1. It selects all cells from rows matching the name.
    // 2. It uses LIKE operator because Name is a Text field.
    // 3. @Name must be added as a new SqlParameter.
    //
    using (SqlCommand command = new SqlCommand("SELECT * FROM Dogs1 WHERE Name LIKE @Name", connection))
    {
    //
    // Add new SqlParameter to the command.
    //
    command.Parameters.Add(new SqlParameter("Name", dogName));
    //
    // Read in the SELECT results.
    //
    SqlDataReader reader = command.ExecuteReader();
    while (reader.Read())
    {
        int weight = reader.GetInt32(0);
        string name = reader.GetString(1);
        string breed = reader.GetString(2);
        Console.WriteLine("Weight = {0}, Name = {1}, Breed = {2}", weight,    name, breed);
    }
    }
}