C# sqlite 注入 [英] C# sqlite injection

问题描述

如果我改变了我的选择

String insSQL2
    = "select * from Produtos where nome = '" + txtBuscaNome.Text + "'"

到

String insSQL2
    = "select * from Produtos where nome = ''" + txtBuscaNome.Text + "''"

它会阻止 sql 注入吗?

Will it prevent sql injection?

推荐答案

没有

SQL 注入不是创造性地使用引号字符.这是关于将输入视为数据而不是代码.看一个经典的 SQL 注入漏洞:

SQL injection isn't about creatively using quote characters. It's about treating input as data instead of as code. Take a look at a classic SQL injection vulnerability:

"SELECT * FROM Users WHERE Id = " + someValue;

它可能直观地看起来就像您将 someValue 用作数据值，但您实际上将它用作 实际的 SQL 代码.SQL 引擎不会将此视为值参数，而是将其视为正在执行的命令的一部分.该代码应该只是一个值，但它可以是任何东西.您将执行提供的任何代码.

It may intuitively look like you're using someValue as a data value, but you're actually using it as actual SQL code. The SQL engine doesn't see this as a value parameter, it sees it as part of the command being executed. That code should just be a value, but it can be anything. And you'd be executing whatever code is supplied.

以这种方式思考，很明显您永远不应该在您的应用程序中执行用户提供的代码.

Thinking of it in this way, it becomes clear that you should never execute user-supplied code in your application.

另一种方法是将用户输入视为预定义代码中的值.这样你就可以控制代码的完整范围，而用户只提供值.哪个看起来更像这样:

The alternative is to treat the user input as values in pre-defined code. That way you control the complete scope of the code and users are only supplying values. Which would look more like this:

"SELECT * FROM Users WHERE Id = @id";

现在 SQL 引擎看到该参数 (@id) 并希望您为该参数提供 值.在 ADO.NET 中，它可能类似于:

Now the SQL engine sees that parameter (@id) and expects you to supply a value for that parameter. In ADO.NET it might look something like:

someCommand.Parameters.AddWithValue("@id", someValue);

现在 SQL 引擎知道这是一个数据值而不是代码，所以它把它当作数据而不是执行它.

Now the SQL engine knows that this is a data value and not code, so it treats it as data instead of executing it.

这篇关于C# sqlite 注入的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！