Yas*_*med 1 sql sql-injection dynamic
我想like在动态参数化查询中使用关键字.我想保护我的查询免受SQL注入,所以我不想传递值,而是我想在执行查询时传递我的标准,
有没有办法可以做到这一点?
SELECT
ComposeMail.ID,
ComposeMail.DateTime,
ComposeMail.Subject,
ComposeMail.CreatedBy,
ComposeMail.ReceiverStatus,
Users.Name,
ROW_NUMBER() OVER(ORDER BY '+ @p_SortExpression +') AS Indexing
FROM
ComposeMail
INNER JOIN
Users
ON
ComposeMail.CreatedBy = Users.ID
WHERE
(ToReceipientID=@p)
AND (
ReceiverStatus=3
OR ReceiverStatus=4
)
AND (
(Subject Like ''%' + @p3 + '%'')
OR (Body Like ''%' + @p3 + '%'')
OR (Name Like ''%' + @p3 + '%'')
)
这是我的动态查询字符串.我不想在这里传递值.
为了防止在动态查询中注入,你总是想做这样的事情(而不是在你的例子中做'+ @var +')
DECLARE @query nvarchar(2000),
@paramList nvarchar(2000)
SET @query = 'SELECT * FROM dbo.Orders WHERE custLastName LIKE ''%'' + @custLastName + ''%'''
SET @paramList = '@custLastName varchar(30)'
EXEC SP_EXECUTESQL @query, @paramList, @custLastName
编辑:示例已更新为使用LIKE
| 归档时间: |
|
| 查看次数: |
4167 次 |
| 最近记录: |