我是C#的新手,并且编写了以下代码。阅读文档之后,我意识到我的代码应该容易受到SQL注入的攻击,因为我没有为参数使用参数(据我所知,您可以通过注入不需要的查询search.Text)。因为我实际上是将我的值锁定在“”引号内,所以我什至不必担心吗?
我在这里找到了一些指示,但无法使它起作用: 如何在sql语句中使用字符串变量
public void InvokeDataGridAddress()
{
switch (ComboBoxSelection.Text)
{
case "NASLOV":
comboBoxValue = "SELECT * FROM [cbu_naslovi] WHERE [ADDRESS] LIKE '%" + search.Text + "%' COLLATE Latin1_general_CI_AI";
break;
case "LASTNIK":
comboBoxValue = "SELECT [cbu_naslovi].* FROM [cbu_deli], [cbu_naslovi] WHERE [cbu_deli].LASTNIK LIKE '%" + search.Text + "%' COLLATE Latin1_general_CI_AI AND [cbu_deli].IDX = [cbu_naslovi].ID";
break;
case "OBJEKT":
comboBoxValue = "SELECT * FROM [cbu_naslovi] WHERE [SO] LIKE '%" + search.Text + "%'";
break;
case "PARCELA":
comboBoxValue = "SELECT * FROM [cbu_naslovi] …<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<connectionStrings>
<add name="connect_cbu" connectionString="Data Source=192.168.66.67; Initial Catalog=CBU; Persist Security Info=True; User ID=Admin;Password=1234"/>
</connectionStrings>
<startup>
<supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.6.1" />
</startup>
</configuration>
假设我定义了以下两个字符串:public static string user;and public static string pass;inside Global.cs.有可能以某种方式将它们包括在内connectionString吗?
例:
connectionString="Data Source=192.168.66.67; Initial Catalog=CBU; Persist Security Info=True; User ID='Global.user';Password='Global.pass'"/>
解决方案,基于TheGeneral的答案:
的app.config
<connectionStrings>
<clear/>
<add name="connect_cbu" connectionString="Data Source=192.168.66.67; Initial Catalog=CBU; Persist Security Info=True" providerName="System.Data.SqlClient"/>
</connectionStrings>
MainWindow.xaml.cs
using System;
using System.Configuration;
using System.Data.SqlClient;
using System.Windows;
namespace Test
{
public partial class …