问题
I have heard that I can prevent SQL injection attacks by using parameterized queries, but I do not know how to write them.
How would I write the following as a parameterized query?
SqlConnection con = new SqlConnection(
\"Data Source=\" + globalvariables.hosttxt + \",\" + globalvariables.porttxt + \"\\\\SQLEXPRESS;\" +
\"Database=ha;\" +
\"Persist Security Info=false;\" +
\"UID=\'\" + globalvariables.user + \"\';\" +
\"PWD=\'\" + globalvariables.psw + \"\'\");
string query = \"SELECT distinct ha FROM app WHERE 1+1=2\";
if (comboBox1.Text != \"\")
{
query += \" AND firma = \'\" + comboBox1.Text + \"\'\";
}
if (comboBox2.Text != \"\")
{
query += \" AND type = \'\" + comboBox2.Text + \"\'\";
}
if (comboBox3.Text != \"\")
{
query += \" AND farve = \'\" + comboBox3.Text + \"\'\";
}
SqlCommand mySqlCmd = con.CreateCommand();
mySqlCmd.CommandText = query;
con.Open();
…
回答1:
You need to use parameters instead of just concatenating together your SQL:
using (SqlConnection con = new SqlConnection(--your-connection-string--))
using (SqlCommand cmd = new SqlCommand(con))
{
string query = "SELECT distinct ha FROM app WHERE 1+1=2";
if (comboBox1.Text != "")
{
// add an expression with a parameter
query += " AND firma = @value1 ";
// add parameter and value to the SqlCommand
cmd.Parameters.Add("@value1", SqlDbType.VarChar, 100).Value = comboBox1.Text;
}
.... and so on for all the various parameters you want to add
cmd.CommandText = query;
con.Open();
using (SqlDataReader reader = cmd.ExecuteReader())
{
while(reader.Read())
{
// do something with reader -read values
}
reader.Close();
}
con.Close();
}
回答2:
instead of comboBox1.Text use parameters like @firma
command.Parameters.Add("@firma", SqlDbType.Varchar);
command.Parameters["@firma"].Value = comboBox1.Text;
query += " AND firma = @firma ";
apply this to all parameters
来源:https://stackoverflow.com/questions/25820944/how-do-i-re-write-a-sql-query-as-a-parameterized-query