我有以下代码:
const string Sql =
@"select distinct [name]
from tblCustomers
left outer join tblCustomerInfo on tblCustomers.Id = tblCustomerInfo.CustomerId
where (tblCustomer.Name LIKE '%@SEARCH%' OR tblCustomerInfo.Info LIKE '%@SEARCH%');";
using (var command = new SqlCommand(Sql, Connection))
{
command.Parameters.AddWithValue("@SEARCH", searchString);
...
}
这不起作用,我也试过这个:
const string Sql =
@"select distinct [name]
from tblCustomers
left outer join tblCustomerInfo on tblCustomers.Id = tblCustomerInfo.CustomerId
where (tblCustomer.Name LIKE @SEARCH OR tblCustomerInfo.Info LIKE @SEARCH );";
using (var command = new SqlCommand(Sql, Connection))
{
command.Parameters.AddWithValue("@SEARCH", "'%" + searchString + "%'");
... …问题:我有一个带有文本值的表单,以及一个必须根据文本值的值返回字符串查询的函数.
解决方案:我使用参数创建了一个SQLCommand查询,然后我将SQLCommand.CommandText放到一个字符串中,然后将其返回(将要处理查询的业务逻辑)
主要问题:它是sql注入证明吗?
代码示例:
sQuery = "select * from xy where x like '%@txtNameParameter%'";
SqlCommand cmd = new SqlCommand(sQuery);
cmd.Parameters.Add("@txtNameParameter", SqlDbType.VarChar);
cmd.Parameters["@txtNameParameter"].Value = txtName.Text;
string query = cmd.CommandText;
return query;
如果主要问题是好的子问题:我是否应该将参数放入radiobutton和dropdownmenu的值或者它们是否注入防护?