我如何使用像getdbnumbervalue语句这样的代码作为参数? [英] How can I use something like getdbnumbervalue statement as parameter like this code?
本文介绍了我如何使用像getdbnumbervalue语句这样的代码作为参数?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
How can I use something like getdbnumbervalue statement as parameter like this code?
此语句(GetDBNumberValue)阻止sql注入我的老板说。但我会找到这样的东西并在我的项目中使用它
我尝试过:
This statement (GetDBNumberValue) prevents from sql injection my boss said. But Im going to find something like this and use it in my projects
What I have tried:
public bool UpdateInfo_ToDownloadQueueStatus(string strAutoID)
{
string strQuery = " UPDATE tb_NGD_ToDownloadQueue SET ";
strQuery += " Status = 2 ";
strQuery += ",";
strQuery += " DownloadEnd = " + GetDbStringValue(DateTime.Now.ToString());
strQuery += " WHERE AutoID = " + GetDbNumberValue(strAutoID);
strQuery += " DECLARE @RowCount int; ";
strQuery += " SELECT @RowCount = COUNT(*) FROM tb_NGD_ToDownloadQueue ";
strQuery += " WHERE fk_DownloadRequestScales = ( SELECT TOP 1 fk_DownloadRequestScales FROM tb_NGD_ToDownloadQueue WHERE AutoID = " + GetDbNumberValue(strAutoID) + " ) AND [Status] = 1 ";
strQuery += " IF @RowCount > 0 ";
strQuery += " BEGIN ";
strQuery += " UPDATE tb_NGD_DownloadRequestScales SET JobStatusID = 5 WHERE tb_NGD_DownloadRequestScales.AutoID = ( SELECT TOP 1 fk_DownloadRequestScales FROM tb_NGD_ToDownloadQueue WHERE AutoID = " + GetDbNumberValue(strAutoID) + " ) ";
strQuery += " END ";
strQuery += " ELSE ";
strQuery += " BEGIN ";
strQuery += " UPDATE tb_NGD_DownloadRequestScales SET JobStatusID = 2 WHERE tb_NGD_DownloadRequestScales.AutoID = ( SELECT TOP 1 fk_DownloadRequestScales FROM tb_NGD_ToDownloadQueue WHERE AutoID = " + GetDbNumberValue(strAutoID) + " ) ";
strQuery += " END ";
//strQuery += " UPDATE tb_NGD_DownloadRequestScales SET ";
//strQuery += " JobStatusID = 2 ";
//strQuery += " WHERE AutoID = ( SELECT TOP 1 fk_DownloadRequestScales FROM tb_NGD_ToDownloadQueue WHERE AutoID = " + GetDbNumberValue(strAutoID) + " ) ";
if (!baseClass.MapInfo_NoRetValue(strQuery))
{
ErrMessage = baseClass.ErrMessage;
return false;
}
return true;
}
推荐答案
不,它不会 - 除非您的GetDbXValue方法集处理数据并删除任何SQL Inject倾向数据。我们不知道他们做了什么,我们看不到他们。即使他们这样做,他们根本不能完美地工作,因为只是将日期传递给SQL作为字符串依赖于两个不同系统对日期的解释:如果C~代码PC从ToString 01返回一个短日期/ 02/03它依赖于SQL正确解释,但它应该是2003年2月1日,2003年1月2日,还是2001年2月3日? SQL不知道,也没有你的演示软件在检索它时!
而不是用黑客攻击来试图避免它,只需使用参数化查询以一个不受SQL注入的明确形式传递实际值:
No it doesn't - unless your set of GetDbXValue methods process the data and remove any SQL Inject prone data. And we have no idea what they do, we can't see them. And even if they do, they don't make things work perfectly at all because just passing dates to SQL as strings relies on the interpretation of the date by the two different systems: if the C~ code PC returns a short date from ToString 01/02/03 it relies on SQL interpretting that correctly, but is it supposed to be "1st Feb 2003", "2nd Jan 2003", or "3rd Feb 2001"? SQL Doesn't know, and nor does your presentation software when it retrieves it!
Instead of mucking about with hack rounds to try and avoid it, just use parameterised queries to pass the actual values in an unambiguous form that isn't subject to SQL Injection at all:
string strQuery = "UPDATE tb_NGD_ToDownloadQueue SET Status = 2, DownloadEnd = @DLE WHERE AutoID = @AID";
using (SqlCommand cmd = new SqlCommand(strQuery, con))
{
cmd.Parameters.AddWithValue("@DLE", DateTime.Now);
cmd.Parameters.AddWithValue("@AID", strAutoID);
...
}
这篇关于我如何使用像getdbnumbervalue语句这样的代码作为参数?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
