问题
I am executing an SQL query (system.data.SQLite) like so:
var color = "red";
var command = new SQLiteCommand("SELECT something FROM tabletop WHERE color = '" + color + "'", Connection);
var reader = command.ExecuteReader();
The color variable is a text supplied by the user. How can I escape this text to prevent SQL injection? Or is this bad practice and I should execute the query in some entirely different "protected" way?
回答1:
You should use parameterized queries:
var command = new SQLiteCommand("SELECT something FROM tabletop WHERE color = @Color", Connection);
command.Parameters.AddWithValue("Color", color);
You can also pass an array of SQLiteParameters into the command.Parameters collection like so:
SQLiteParameter[] parameters = { new SQLiteParameter("Color", color), new SQLiteParameter("Size", size) }; // etc.
command.Parameters.AddRange(parameters);
回答2:
You do it with prepared statements:
SQLiteCommand sql = SQLiteDB.CreateCommand();
sql.CommandText = @"INSERT INTO aziende VALUES (@id_azienda, @nome)";
SQLiteParameter lookupValue = new SQLiteParameter("@id_azienda");
SQLiteParameter lookupValue2 = new SQLiteParameter("@nome");
sql.Parameters.Add(lookupValue);
sql.Parameters.Add(lookupValue2);
lookupValue.Value = "Your unsafe user input goes here";
lookupValue2.Value = "Your second unsafe user input goes here";
sql.ExecuteNonQuery();
来源:https://stackoverflow.com/questions/25261317/how-to-escape-a-string-in-system-data-sqlite