当参数不是字符串时，不对SQL查询进行参数化是否安全? [英] Is it safe to not parameterize an SQL query when the parameter is not a string?

问题描述

就 SQL注入而言，我完全理解对参数string进行参数化的必要性.那是书中最古老的把戏之一.但是什么时候可以证明不参数化SqlCommand是合理的呢?是否将任何数据类型视为安全的"而不进行参数化?

In terms of SQL injection, I completely understand the necessity to parameterize a string parameter; that's one of the oldest tricks in the book. But when can it be justified to not parameterize an SqlCommand? Are any data types considered "safe" to not parameterize?

例如:我不认为自己在SQL专家附近，但是我想不出任何可能容易受到SQL注入接受bool的情况.或int并将其直接连接到查询中.

For example: I don't consider myself anywhere near an expert in SQL, but I can't think of any cases where it would be potentially vulnerable to SQL injection to accept a bool or an int and just concatenate it right into the query.

我的假设是正确的，还是可能在程序中留下巨大的安全漏洞?

Is my assumption correct, or could that potentially leave a huge security vulnerability in my program?

为澄清起见，此问题被标记为 c#是一种强类型语言；当我说参数"时，会想到类似 public int Query(int id).

For clarification, this question is tagged c# which is a strongly-typed language; when I say "parameter," think something like public int Query(int id).

推荐答案

我认为这是安全的... 技术上 ，但这是一个可怕的习惯.您真的要编写这样的查询吗?

I think it's safe... technically, but it's a terrible habit to get into. Do you really want to be writing queries like this?

var sqlCommand = new SqlCommand("SELECT * FROM People WHERE IsAlive = " + isAlive + 
" AND FirstName = @firstName");

sqlCommand.Parameters.AddWithValue("firstName", "Rob");

在类型从整数更改为字符串的情况下，这也使您容易受到攻击(请考虑雇员编号，尽管其名称可能包含字母).

It also leaves you vulnerable in the situation where a type changes from an integer to a string (Think employee number which, despite its name - may contain letters).

因此，我们将EmployeeNumber的类型从int更改为string，但是却忘记了更新SQL查询.哎呀.

So, we've changed the type of EmployeeNumber from int to string, but forgot to update our sql queries. Oops.

这篇关于当参数不是字符串时，不对SQL查询进行参数化是否安全?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！