参数方向问题 [英] Parameter Direction Question

问题描述

嗨


我有一个简单的查询：

Hi
I have a simple query which is :

SELECT fullname FROM usersAccount WHERE username = @usr AND passwrd = @pwd;

是否需要使用ParameterDirection.Input来获得更好的查询？我只是好奇在非存储查询中使用ParameterDirection，如果他们的某种改进/编码质量。

Does It required to used ParameterDirection.Input for better Query ? Am just curious about using ParameterDirection on non-stored Query if theirs some sort of Improvement/Coding Quality.

cmd.Parameters.Add("@usr", SqlDbType.VarChar, 20, ParameterDirection.Input).Value = Me.txtUserName.Text
cmd.Parameters.Add("@pw", SqlDbType.BigInt, 15, ParameterDirection.Input).Value = Me.txtPassword.Text</pre>

推荐答案

没有。最简单的方法就是说：

No. The easiest way to do this is just to say:

cmd.Parameters.AddWithValue("@usr", txtUserName.Text)
cmd.Parameters.AddWithValue("@pw", txtPassword.Text)

但请不要这样做！以明文形式存储密码是一种可怕的安全风险。请参阅此处：密码存储：如何操作。 [ ^ ] - 它在C＃，但代码在VB中完全相同。





我认为使用

But please don't do that! Storing passwords in clear text is a horrible security risk. See here: Password Storage: How to do it.[^] - it's in C#, but the code is pretty much identical in VB.


"I thought that using

cmd.Parameter.add("pwd",SqlDbType.BigInt, 15).Value

优于AddWithValue，因为它可以严格输入的类型/长度



它可以，是的。这是一个问题！



当您使用带有文本字符串的Add方法并指定长度时，Add方法会将字符串截断为您指定的长度， 没有告诉你。因此，如果您指定一个20个字符的字符串长度并且您的用户输入100个字符的注释，那么将丢弃80个字符而您不知道。更糟糕的是 - 您的用户不知道并确信数据库已正确更新。

如果使用AddWithValue，则传递整个字符串，SQL将拒绝输入并抛出异常回到你的代码 - 所以你可以告诉用户有问题！



还有一些有趣的游戏和数据库的变化需要反映在代码等等，但是在没有人知道的情况下丢弃用户数据的情况要差得多 - 更糟糕 - 因为它无法修复（数据无法恢复）并且会削弱用户对整个系统的信心。



并且仍然不以明文保存密码！

is better than AddWithValue due to it can strict the Type/Length of the Input"

It can, yes. And that's a problem!

When you use the Add method with a text string and specify the length, the Add method truncates the string to the length you specify, without telling you. So if you specify a string length of 20 characters and your user enters a 100 character comment, 80 characters will be discarded and you don't know. Worse - your user doesn't know and is instead assured that the database was updated correctly.
If you use AddWithValue, the whole string is passed through, and SQL will refuse to enter it and throw an exception back to your code - so you can tell the user there is a problem!

There is also the fun and games of changes to the DB needing to be reflected in the code and so forth, but throwing away user data without anyone knowing is much, much worse - because it is unfixable (the data can't be recovered) and that erodes user confidence in the system as a whole.

And still don't save passwords in clear text!

这篇关于参数方向问题的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！