带有额外字符的字符串 [英] string with extra characters

问题描述

亲爱的，请帮助


在我的Web应用程序中，我通过文本框从用户那里获取了一些数据.
我将文本框值存储在变量中，然后插入数据库中.


但是当用户在显示错误的文本框中输入诸如``，;，:之类的字符时，我该如何解决呢?

Dear all, Please help


in my web application i get some datas from user through text box.
i store the text box value in a variable and insert into database.


but when the user enters some characters like '',;,: in text box that show error how can i solve it.


for examle:anoop''s,kira''s etc.

推荐答案

我假设您使用的是简单的SQL查询，例如

I assume that you are using a simple SQL query such as

SqlCommand cmd = new SqlCommand("INSERT INTO tab (field1) VALUES (" + textBox1.Text + ")");

数据库抱怨了吗?

恭喜你！这留下了一个称为"SQL注入"的空缺.

特殊字符的添加使数据库将它们作为命令的一部分进行处理.例如，如果在文本框中输入你好"；"DROP TABLES选项卡"，则不要执行此操作，SQL将会显示:

And the database complains?

Congratulations! This is leaving an opening known as "SQL Injection".

The addition of special characters causes the database to process them as part of a command. For example (DO NOT DO THIS) if you enter "hello);DROP TABLES tab" into your text box, the SQL would see:

"INSERT INTO tab (field1) VALUES (hello);DROP TABLES tab;)"

作为单个命令.
因为;"是语句终止符，所以SQl将此视为两个命令:INSERT，后跟DROP TABLES.它将您的名字插入为"hello"，然后删除选项卡表.

不要这样使用参数化查询:

as a single command.
Because '';'' is a statement terminator, SQl sees this as two commands: An INSERT, followed by a DROP TABLES. It inserts your name as "hello", and then deletes the tab table.

Don''t do it this way. Use a parameterized query:

SqlCommand cmd = new SqlCommand("INSERT INTO tab (field1) VALUES (@NAME)");
cmd.AddWithValue("@NAME", textBox1.Text);

这样您的问题就会消失，而不是您的表...

And you problem will disappear, instead of your tables...

您可以定义一个正则表达式来定义可接受的(通常更彻底的)或 .
根据所使用的技术(您无需说说此ASP.NET，Winforms还是WPF)，您将需要在相关的验证器中使用正则表达式来防止用户在更正输入之前继续操作.

您还应该在插入之前检查输入，如果无效则拒绝，并将值作为SQL参数传递以停止SQL注入攻击.

You can define a regular expresssion to defined what is either acceptable (generally more thorough) or unacceptable.
Depending on the technology used (you don''t say whether this ASP.NET, Winforms or WPF) you will need to use the regex in the relevant validator to prevent the user continuing before the input is corrected.

You should also check the input before insertion and reject if not valid, and pass the value as an SQL parameter to stop SQL injection attacks.

数据是什么变量类型?????

what is the data type of variable?????

这篇关于带有额外字符的字符串的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！