.NET 中的 SQL 注入预防 [英] SQL Injection Prevention in .NET

问题描述

I typically write my SQL as so in .NET

sql.Append("SELECT id, code, email FROM mytable WHERE variable = @variable ");

Then do something like this:

using (SqlConnection conn = new SqlConnection(ConfigurationManager.ConnectionStrings[ConfigurationManager.AppSettings["defaultConnection"]].ConnectionString))
{
    using (SqlCommand myCommand = new SqlCommand(sql.ToString(), conn))
    {
        myCommand.Parameters.AddWithValue("@variable", myVariableName");
        ...

But should I also do this addParameter when the data I got comes directly from the database like so?

likesql.Append(string.Format("SELECT group_id, like_text FROM likeTerms ORDER BY group_id ASC "));

DataTable dtLike = SqlHelper.GetDataTable(likesql.ToString());

foreach (DataRow dr in dtLike)
{
    buildsql.Append(".... varId = " + dr["group_id"].ToString() + "...");

    ...

Is this acceptable? What is best practice?

解决方案

You should always use parameters:

• Where are the values in your database coming from?
• Can you trust, in your example, that 'group_id' wasn't modified to be something you're not expecting?

Trust noone

Can someone with limited database access inject directly into a field used elsewhere?

Performance

Also, it helps performance. Cached execution plans will disregard the value of the parameter, meaning you're saving the server from recompiling the query every time the parameters change.

这篇关于.NET 中的 SQL 注入预防的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！