参数化查询如何帮助抵御 SQL 注入? [英] How do parameterized queries help against SQL injection?
问题描述
在查询 1 和 2 中,文本框中的文本被插入到数据库中.参数化查询在这里有什么意义?
In both queries 1 and 2, the text from the textbox is inserted into the database. What's the significance of the parameterized query here?
将
txtTagNumber作为查询参数传递
SqlCommand cmd = new SqlCommand("INSERT INTO dbo.Cars " +"VALUES(@TagNbr);" , conn);
cmd.Parameters.Add("@TagNbr", SqlDbType.Int);
cmd.Parameters["@TagNbr"].Value = txtTagNumber.Text;
在构造查询之前将 txtTagNumber 转换为整数
int tagnumber = txtTagNumber.Text.ToInt16(); /* EDITED */
INSERT into Cars values(tagnumber.Text); /* then is it the same? */
另外,这里我将使用正则表达式验证来阻止插入非法字符.
Also, here I would use Regular Expression validation to stop insertion of illegal characters.
推荐答案
参数化查询在运行 SQL 查询之前正确替换参数.它完全消除了脏"输入改变查询含义的可能性.也就是说,如果输入包含 SQL,它就不能成为执行内容的一部分,因为 SQL 永远不会注入到结果语句中.
Parameterized queries do proper substitution of arguments prior to running the SQL query. It completely removes the possibility of "dirty" input changing the meaning of your query. That is, if the input contains SQL, it can't become part of what is executed becase the SQL is never injected into the resulting statement.
这篇关于参数化查询如何帮助抵御 SQL 注入?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
