这是SQL注入防Asp.net code？ [英] Is this Sql-injection-proof Asp.net code?

问题描述

问题：我有一个文本值的形式和功能必须基于文本的价值观太值返回一个字符串查询

Problem: I have a form with text values, and a function that must return a string query based on the values of the text values too.

解决方案：我创建了一个带参数的查询的SqlCommand，然后我把SQLCommand.CommandText为字符串，然后我回到它（到将要处理查询的业务逻辑）

Solution: I created a SQLCommand query with parameters, then I put the SQLCommand.CommandText to a string and I returned it (to the business logic that is going to handle the query)

主要问题：它是SQL注入防

Main Question: Is it sql-injection proof?

code示例：

sQuery = "select * from xy where x like '%@txtNameParameter%'";

SqlCommand cmd = new SqlCommand(sQuery);

cmd.Parameters.Add("@txtNameParameter", SqlDbType.VarChar);
cmd.Parameters["@txtNameParameter"].Value = txtName.Text;

string query = cmd.CommandText;
return query;

子问题，如果主要的问题是确定的：
我应该投入参数也是一个单选按钮和dropdownmenu或值是它们注射证明？

Sub question if main question is ok: Should I put into parameters also values of a radiobutton and dropdownmenu or are they injection-proof?

推荐答案

你在做什么这里是注射证明，因为你没有任何注射。事实上，你的参数甚至没有使用（因为它的唯一引用是一个字符串字母所以SQL语法分析程序甚至不会看到您正在尝试使用参数，因为它将把它作为一个字符串）。

What you are doing here is injection proof because you are not injecting anything. In fact, your parameter isn't even used (because the only reference to it is inside a string literal so the SQL Parser won't even see where you are attempting to use the parameter because it will treat it as a string literal.)

您可能要更改该行code到：

You may want to change that line of code to:

sQuery = "select * from xy where x like '%'+@txtNameParameter+'%'";

这将使SQL是这样的：

Which would make the SQL look like this:

select * from xy where x like '%'+@txtNameParameter+'%'

这是在一个字符串中的SQL命令预期反正一个地方只是字符串连接。

Which is just string concatenation in a place where a string is expected in the SQL command anyway.

不过，你对你这个做什么说​​明之后可能打击一切出来的水。我不明白你为什么会想只查询的WHERE子句发送到业务层。

However, your description of what you are doing with this afterwards possibly blows all that out of the water. I cannot understand why you would want to send just the where clause of the query to the business layer.

此外，substringed WHERE子句将不会包含您在参数中把数据。所以，你没有得到更多的好处，只是回到

Also, the substringed WHERE clause will not contain the data you are putting in the parameter. So you are getting no more benefit that just returning

return "where x like '%@txtNameParameter%'";

参数值都将丢失。

The parameter value is lost.

这篇关于这是SQL注入防Asp.net code？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！