How do parameterized queries help against SQL injection?

后端 未结 6 1423
有刺的猬
有刺的猬 2020-11-21 22:32

In both queries 1 and 2, the text from the textbox is inserted into the database. What\'s the significance of the parameterized query here?

  1. Passing tx

6条回答
  •  别跟我提以往
    2020-11-21 23:34

    sql injection happens when a possible parameter has sql within it and the strings are not handled as it should be

    eg:

    var sqlquerywithoutcommand = "select * from mytable where rowname =  '" + condition+''";
    

    and the condition is a string coming from the user in the request. If condition is malicious say eg:

    var sqlquerywithoutcommand = "select * from mytable where rowname =  '" + "a' ;drop table  mytable where '1=1"+"'";
    

    you could end up running malicious scripts.

    but using parameters the input will be cleaned of any characters which might escape string characters...

    you can be ensured no matter what comes in it will not be able to run inject scripts.

    using the command object with parameters the sql actually executed would look like this

    select * from mytable where rowname = 'a'';drop table mytable where 1=1'''
    

    in essense it will be looking for a row with rowname = a';drop table mytable where 1=1' and not running the remaining script

提交回复
热议问题