basics of parameterized query

て烟熏妆下的殇ゞ 提交于 2019-12-08 02:29:42

问题


  1. I have used parameterized query number of times I know it helps in preventing SQL injection. But, I was wondering if I can know what is basic logic working inside a parameterized query to prevent SQL injection may be it is very simple but I don't know about it. I tried to search google what are the basic of it but every time I found an example that how to use parameterized query in Asp.net.
  2. I know about making a special class which stops those special characters like (',-- etc) which are used in SQL injection, but does stopping only special characters totally prevent SQL injection?
  3. And one last thing does .net parameterized query can fully stop SQL injection?

回答1:


I think parametrized queries are not dependent on prepared queries database support. Database driver itself passing values the safe way, and how is it done depends on driver itself.

The PostgreSQL manual explains basics about parametrized queries on database level.

On the other hand, parametrized queries simplifies you passing locale sensitive data. For example, user enters 100,00 decimal, but your server expects 100.00 value.




回答2:


In every database engine I know, using "prepared" (aka "parametrized", or "static") queries prevents SQL injection. You don't need to filter any characters if they're being passed to parameters. If you ever write SQL that is concatenated together in code rather than prepared with parameters, you are probably at risk for SQL injection. You should the security manual for the database you're using, it will very likely have a section on SQL injection, but just read all of it. I bet it will take under an hour and will give you solid instruction and confidence that you're following best the practices that apply to your database.



来源:https://stackoverflow.com/questions/4446855/basics-of-parameterized-query

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!