sql参数从什么方面保护你? [英] From what do sql parameters protect you?
问题描述
参数用于保护您免受恶意用户输入.
Parameters are used to protect you from malicious user input.
但是如果参数需要一个字符串,是否可以编写将被解释为 sql 的输入,以便恶意用户可以使用诸如 'DROP'、'TRUNCATE' 之类的东西...
But if the parameter expects a string, is it possible to write input that will be interpreted as sql, so malicious users can use things like 'DROP', 'TRUNCATE', etc...?
asp、asp.net、java等中的参数保护有区别吗?
Are there differences in protection between parameters in asp, asp.net, java and others?
推荐答案
如果参数是幕后的字符串,参数化查询通常会引用参数,这样普通的 SQL 操作符就不会被解释为这样.这意味着即使用户输入了潜在的恶意数据,它也会被简单地视为字符串输入,而不会被解释为 SQL 运算符/命令.
Parameterized queries generally quote the parameter if it is a string behind the scene so that the normal SQL operators are not interpreted as such. This means that even if a user enters potentially malicious data it is simply treated as a string input and not interpreted as SQL operators/commands.
它在各种框架中的实现方式可能存在技术差异,但基本思想(和结果)是相同的.
There may be technical differences in how it is implemented in the various frameworks, but the basic idea (and result) is the same.
这篇关于sql参数从什么方面保护你?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
