是dataadapter。更新容易出现SQL注入? [英] Is dataadapter. Update prone to SQL injection?

查看:85
本文介绍了是dataadapter。更新容易出现SQL注入?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我有以下代码。在做

dataAdapter.Update(dataset, " TableX ");
I add some rows to the datatable which have some columns nvarchar. Does this prone to Sql Injection
ds.tables[0].Rows["TableX"] = MALICIOUS SQL INJECTION ATTEMPT; // let's
say this is where the end user could slip malicious string he wanted
into





我尝试过:



使用(var dataAdapter = new SqlDataAdapter(selectCommand))

using(var cmdBuilder = new SqlCommandBuilder(dataAdapter))

{

cmdBuilder.ConflictOption = ConflictOption.OverwriteChanges;



using(var dataset = new DataSet())

{

var stopwatch = new秒表();



dataAdapter。 UpdateBatchSize = 0;

dataAdapter.AcceptChangesDuringFill = false;

dataAdapter.AcceptChangesDuringUpdate = false;



秒表。 Start();

dataAdapter.Fill(dataset,Table X);

newrow包含一些navrchar类型的列

ds.Tables [TableX]。Rows.Add(newRow);

dataset.AcceptChanges();



dataAdapter.Update(dataset,TableX);

}

}



What I have tried:

using (var dataAdapter = new SqlDataAdapter(selectCommand))
using (var cmdBuilder = new SqlCommandBuilder(dataAdapter))
{
cmdBuilder.ConflictOption = ConflictOption.OverwriteChanges;

using (var dataset = new DataSet())
{
var stopwatch = new Stopwatch();

dataAdapter.UpdateBatchSize = 0;
dataAdapter.AcceptChangesDuringFill = false;
dataAdapter.AcceptChangesDuringUpdate = false;

stopwatch.Start();
dataAdapter.Fill(dataset, "TableX");
newrow contains some columns of type navrchar
ds.Tables["TableX"].Rows.Add(newRow);
dataset.AcceptChanges();

dataAdapter.Update(dataset, " TableX ");
}
}

推荐答案

没有。 SQL注入仅在命令本身被用户可编辑时发生:即,当您连接字符串以形成SQL命令时。

如果您的SELECT命令不包含用户输入,那么您应该没问题,因为CommandBuilder在生成SELECT / UPDATE / INSERT命令时始终使用参数化查询。您通过参数发送的值永远不会被SQL解析,因此无法进行注入。
No. SQL Injection only happens when the command itself is "editable" by the user: i.e. when you concatenate strings to form the SQL command.
Provided your SELECT command contains no user input, you should be fine, as the CommandBuilder always uses parameterized queries when generating it's SELECT / UPDATE / INSERT commands. The values you send via the parameters are never parsed by SQL, so injection can't occur.


这篇关于是dataadapter。更新容易出现SQL注入?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
相关文章
其他开发语言最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆