防止 SQL 注入的好方法是什么? [英] What are good ways to prevent SQL injection?

问题描述

我必须为我的 OJT 公司编写一个应用程序管理系统.前端使用 C#，后端使用 SQL.

I have to program an application management system for my OJT company. The front end will be done in C# and the back end in SQL.

现在我以前从未做过这个范围的项目；在学校里，我们只有关于 SQL 的基本课程.不知何故，我们的老师完全没有讨论 SQL 注入，这是我现在才通过在网上阅读而接触到的.

Now I have never done a project of this scope before; in school we had only basic lessons about SQL. Somehow our teacher completely failed to discuss SQL injections, something which I have only now come in contact with by reading about it on the net.

所以无论如何我的问题是:如何防止 C# 中的 SQL 注入?我隐约认为可以通过适当地屏蔽应用程序的文本字段来做到这一点，以便它只接受指定格式的输入.例如:电子邮件文本框的格式应为example@examplecompany.tld".这种方法就足够了吗?或者.NET 是否有预定义的方法来处理这样的事情?我可以将过滤器应用于文本框，使其仅接受电子邮件地址格式或名称文本框，因此它不接受特殊字符吗?

So anyway my question is: how do you prevent SQL injections in C#? I vaguely think that it can be done by properly masking the text fields of the application so that it only accepts input in a specified format. For example: an e-mail textbox should be of the format "example@examplecompany.tld". Would this approach be sufficient? Or does .NET have pre-defined methods that handle stuff like this? Can I apply a filter to a textbox so it only accepts email-address format or a name textbox so it doesn't accept special chars?

推荐答案

通过使用SqlCommand 及其 子参数集合所有检查 sql 注入的痛苦都将被这些类处理.

By using the SqlCommand and its child collection of parameters all the pain of checking for sql injection is taken away from you and will be handled by these classes.

这里是一个例子，取自上面的一篇文章:

Here is an example, taken from one of the articles above:

private static void UpdateDemographics(Int32 customerID,
    string demoXml, string connectionString)
{
    // Update the demographics for a store, which is stored  
    // in an xml column.  
    string commandText = "UPDATE Sales.Store SET Demographics = @demographics "
        + "WHERE CustomerID = @ID;";

    using (SqlConnection connection = new SqlConnection(connectionString))
    {
        SqlCommand command = new SqlCommand(commandText, connection);
        command.Parameters.Add("@ID", SqlDbType.Int);
        command.Parameters["@ID"].Value = customerID;

        // Use AddWithValue to assign Demographics. 
        // SQL Server will implicitly convert strings into XML.
        command.Parameters.AddWithValue("@demographics", demoXml);

        try
        {
            connection.Open();
            Int32 rowsAffected = command.ExecuteNonQuery();
            Console.WriteLine("RowsAffected: {0}", rowsAffected);
        }
        catch (Exception ex)
        {
            Console.WriteLine(ex.Message);
        }
    }
}

这篇关于防止 SQL 注入的好方法是什么?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！