安全SQL查询 [英] Secure SQL Queries

问题描述

在我的项目中，我正在使用像这样的SQL查询
但是您已经告诉我这些查询根本不安全，那么什么是安全的SQL查询.
如何赋予用户输入州名的权利

请给我发送任何有关用户查询安全查询的示例，以供用户
插入数据


试试
{



字符串str2 =从状态中选择代码，其中code ="" + this.txtstatecode.Text +''";
SqlCommand cmd1 =新的SqlCommand();
cmd1.CommandText = str2;
cmd1.Connection = conn;
//cmd.ExecuteNonQuery();
SqlDataReader rd = cmd1.ExecuteReader();
//stem.Windows.MessageBox.Show(rd.Read().ToString());
如果(rd.Read())
{
System.Windows.MessageBox.Show(记录已存在");

}
其他
{
字符串str =插入State(Code，Name)值(""+ this.txtstatecode.Text +"''，''"+ this.txtstatename.Text +"'');
//if rdr.GetString()


cmd1.CommandText = str;
cmd1.Connection = conn;
cmd1.ExecuteNonQuery();

//System.Windows.MessageBox.Show(数据已成功插入");
//cmd.Connection = conn;

DataTable dt = new DataTable();
字符串str1 =从国家/地区选择代码，名称";//其中code =''"+ this.txtstatecode.Text +"'';
cmd1.Connection = conn;
cmd1.CommandType = CommandType.Text;
cmd1.CommandText = str1;
SqlDataAdapter adp =新的SqlDataAdapter(cmd1);
SqlCommandBuilder cb =新的SqlCommandBuilder(adp);
/*粘贴在这里*/
adp.Fill(dt);
bs.DataSource = dt;
saidg5.ItemsSource = bs;
adp.Update(dt);
this.statedg5.Items.Refresh();
//rd.Close();
}

}
catch(e1异常)
{
System.Windows.MessageBox.Show(e1.Message);
}

Hi,
In my project I am using SQL queries like this
But you already informed me that these queries not secure at all, then what is the secure sql query.
How can give the right to user to enter the statename

Pls send me any example for secure queries for inserting data by the user



try
{



String str2 = "select code from state where code=''" + this.txtstatecode.Text + "''";
SqlCommand cmd1 = new SqlCommand();
cmd1.CommandText = str2;
cmd1.Connection = conn;
//cmd.ExecuteNonQuery();
SqlDataReader rd = cmd1.ExecuteReader();
//stem.Windows.MessageBox.Show(rd.Read().ToString ());
if (rd.Read())
{
System.Windows.MessageBox.Show("Record already existing");

}
else
{
String str = "insert into State(Code,Name)values (''" + this.txtstatecode.Text + "'',''" + this.txtstatename.Text + "'')";
//if rdr.GetString ()


cmd1.CommandText = str;
cmd1.Connection = conn;
cmd1.ExecuteNonQuery();

//System.Windows.MessageBox.Show("Data Inserted Successfully");
//cmd.Connection = conn;

DataTable dt = new DataTable();
String str1 = "select code,name from State";// where code=''" + this.txtstatecode.Text + "''";
cmd1.Connection = conn;
cmd1.CommandType = CommandType.Text;
cmd1.CommandText = str1;
SqlDataAdapter adp = new SqlDataAdapter(cmd1);
SqlCommandBuilder cb = new SqlCommandBuilder(adp);
/* paste here */
adp.Fill(dt);
bs.DataSource = dt;
statedg5.ItemsSource = bs;
adp.Update(dt);
this.statedg5.Items.Refresh();
// rd.Close();
}

}
catch (Exception e1)
{
System.Windows.MessageBox.Show(e1.Message);
}

推荐答案

，您应该使用SqlCommand对象执行sql查询.将值作为参数传递给SqlCommand对象.尝试搜索引擎寻求帮助.并关注以下内容.

我会解雇为我编写此代码的任何人的原因

1-硬编码的连接字符串
2-表示层中的SQL代码
3-缺乏任何数据库安全性，尤其是在一个帐户创建页面的外观中，任何人都可能会访问该页面，从而擦除或破解整个数据库
4-数据库的密码是abc
5-对布尔值标志使用整数
6-此方法可以完成多项工作，应将其重构为不同的方法
7-使用Response.Write与用户交流，而不是在样式和位置正确的控件中设置文本
由 Christian Graus

you should use SqlCommand object for executing sql query. Pass the values as parameters to the SqlCommand object. try search engines for help. And have a look at following.

Reasons I''d fire anyone who wrote this code for me

1 - hard coded connection string
2 - SQL code in presentation layer
3 - lack of any sort of database security, esp in what looks like an account creation page, which anyone could presumably access and thus erase or hack the entire DB
4 - the password for the database is abc
5 - using an integer for a boolean flag
6 - this method does several things, which should be refactored into different methods
7 - using Response.Write to communicate with the user instead of setting text in a properly styled and positioned control
by Christian Graus

组合字符串时将参数传递给这样的查询:

When you combine strings to pass parameters to a query like this:

String str2 = "select code from state where code='" + this.txtstatecode.Text + "'";

您可以接受SQL注入攻击.而是将参数传递给命令，如下所示:

You open yourself up to SQL injection attacks. Instead, pass parameters to the command like this:

String str2 = "select code from state where code=@StateCode";
SqlCommand cmd1 = new SqlCommand();
cmd1.Parameters.Add(new SqlParameter("StateCode", this.txtstatecode.Text));

转义等将由.Net Framework处理.这样，您就不会对SQL注入攻击开放.

Escaping and such will be handled by the .Net Framework. That way, you will not open yourself up to SQL injection attacks.

这篇关于安全SQL查询的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！