如何prevent SQL注入转义字符串 [英] How to prevent a SQL Injection escaping strings
本文介绍了如何prevent SQL注入转义字符串的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
我有一些疑问(到acccess数据库)是这样的:
I have some queries (to an acccess database) like this :
string comando = "SELECT * FROM ANAGRAFICA WHERE E_MAIL='" + user + "' AND PASSWORD_AZIENDA='" + password + "'";
和我想逃用户和密码,preventing注射。
and I'd like to "escape" user and password, preventing an injection.
我怎样才能做到这一点用C#和.NET 3.5?我在寻找出头像函数mysql_escape_string PHP的...
How can I do it with C# and .NET 3.5? I'm searching somethings like mysql_escape_string on PHP...
推荐答案
您需要使用的参数。好了不要有,但将是preferable。
You need to use parameters. Well dont have to but would be preferable.
SqlParameter[] myparm = new SqlParameter[2];
myparm[0] = new SqlParameter("@User",user);
myparm[1] = new SqlParameter("@Pass",password);
string comando = "SELECT * FROM ANAGRAFICA WHERE E_MAIL=@User AND PASSWORD_AZIENDA=@Pass";
这篇关于如何prevent SQL注入转义字符串的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文