SQLParameter 如何防止 SQL 注入? [英] How does SQLParameter prevent SQL Injection?

问题描述

究竟是什么背景使之如此SQLParameter 可以防止 .NET 参数化查询中的 SQL Inection 攻击吗?它只是去除了任何可疑字符还是还有更多内容?

What exactly is going on in the background that makes it so SQLParameter prevents SQL Inection attacks in a .NET Parameterized query? Is it just stripping out any suspect characters or is there something more to it?

有没有人检查过当您传递恶意输入时实际到达 SQL Server 的内容?

Has anyone out there checked to see what actually gets to SQL Server when you pass malicious input?

相关:你能用吗SQL FROM 语句中的 SQLParameter?

推荐答案

基本上，当您使用 SQLParameters 执行 SQLCommand 时，参数永远不会直接插入到语句中.相反，一个名为 sp_executesql 的系统存储过程被调用并给出 SQL 字符串和参数数组.

Basically, when you perform a SQLCommand using SQLParameters, the parameters are never inserted directly into the statement. Instead, a system stored procedure called sp_executesql is called and given the SQL string and the array of parameters.

当这样使用时，参数被隔离并被视为数据，而不必从语句中解析出来(因此可能会更改它)，因此参数包含的内容永远不会被执行".你只会得到一个很大的错误，参数值在某种程度上无效.

When used as such, the parameters are isolated and treated as data, instead of having to be parsed out of the statement (and thus possibly changing it), so what the parameters contain can never be "executed". You'll just get a big fat error that the parameter value is invalid in some way.

这篇关于SQLParameter 如何防止 SQL 注入?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！