AddWithValue sql注入安全吗?为什么? [英] AddWithValue sql injection safe? Why?

问题描述

我希望这是问对地方的地方， parameters.addwithvalue 是如何工作的?我在想一种防止SQL注入的方式吗?我一直在Stackoverflow上寻找很多东西，很多人说"//Against sql injection".我一直在盲目使用它，但是现在我必须提交一份有关我的任务的论文，我需要解释一下为什么它是保护.我一直试图在MSDN上找到一些东西，发现了这一点:

I hope this is the right place to ask, how does parameters.addwithvalue work? I am thinking in a way to protect against SQL injection? I have been looking quite a lot on Stackoverflow, and a lot of people say "//Against sql injection". I have been using it blindly, but now that I have to hand in a paper about my assignment I need to explain why it is protection. I have been trying to find something on MSDN, found this one:

SQL注入但它使用 parameters.add .然后，我读到它们将 .Add 替换为 .AddWithValue ，是真的吗?那有官员吗?

SQL injection But it uses the parameters.add. I then read that they replace .Add with .AddWithValue, is that true? Any official on this then?

因此，基本上，有谁能更好地寻找一些可以防止SQL注入的官方文书?还是可以告诉我它是如何工作的?

So basically, anyone better in searching for some official paperwork that it protect against SQL injection? Or can tell me how it works?

我不是想让你做我的工作，我只是找不到我自己.

I am not trying to make you do my work, I just can't find it my self.

我正在这样使用它:

using (SqlConnection conn = new SqlConnection(connectionString))
using (var cmd = conn.CreateCommand())
{
        conn.Open();
        String queryString = "DELETE FROM dbo.SecurityAccess WHERE Username = ' @Username ";
        cmd.CommandText = queryString;
        cmd.Parameters.AddWithValue("@Username", Username);
        cmd.ExecuteNonQuery();
}

推荐答案

从SQL注入的角度来看，使用参数通常是安全的(取决于您对SQL中的这些参数所做的操作...).您的例子很安全.从SQL Ibjection的角度来看，如何添加参数没有什么区别，但从ADO.Net和SQL性能的角度来看，却有很多区别.由于与参数类型和大小有关的性能问题， AddWithValue 是反模式.在您的示例中， @UserName 将是类型为 NVARCHAR 的参数，这可能会使 WHERE Username = @ UserName 谓词不可保留(不会在用户名上使用索引).执行结果将是可怕的.

From SQL Injection point of view using parameters is usually safe (subject to what you do with those parameters in the SQL...). Your example is safe. How one adds the parameters makes no difference from the SQL Ibjection point of view, but makes a lot of difference from ADO.Net and SQL performance point of view. AddWithValue is an anti-pattern because of performance problems related to parameter type and size. In your example the @UserName will be a parameter of type NVARCHAR, which will likely make the WHERE Username=@UserName predicate unsarg-able (will not use an index on Username). The execution result would be dreadful.

数据类型转换的潜在解决方案是使用显式的 Add 方法而不是将数据类型作为第二个参数的 AddWithValue .此处.

A potential solution to the datatype conversion is to use the explicit Add method instead of AddWithValue, which takes the datatype as second parameter. More details on this here.

有关更多详细信息，请您阅读数据访问代码如何影响数据库性能.

For more details I urge you to read How Data Access Code Affects Database Performance.

这篇关于AddWithValue sql注入安全吗?为什么?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！