如何将 SQL 查询重写为参数化查询? [英] How do I re-write a SQL query as a parameterized query?
本文介绍了如何将 SQL 查询重写为参数化查询?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
听说用参数化查询可以防止SQL注入攻击,但是不知道怎么写.
I have heard that I can prevent SQL injection attacks by using parameterized queries, but I do not know how to write them.
如何将以下内容编写为参数化查询?
How would I write the following as a parameterized query?
SqlConnection con = new SqlConnection(
"Data Source=" + globalvariables.hosttxt + "," + globalvariables.porttxt + "\SQLEXPRESS;" +
"Database=ha;" +
"Persist Security Info=false;" +
"UID='" + globalvariables.user + "';" +
"PWD='" + globalvariables.psw + "'");
string query = "SELECT distinct ha FROM app WHERE 1+1=2";
if (comboBox1.Text != "")
{
query += " AND firma = '" + comboBox1.Text + "'";
}
if (comboBox2.Text != "")
{
query += " AND type = '" + comboBox2.Text + "'";
}
if (comboBox3.Text != "")
{
query += " AND farve = '" + comboBox3.Text + "'";
}
SqlCommand mySqlCmd = con.CreateCommand();
mySqlCmd.CommandText = query;
con.Open();
…
推荐答案
你需要使用 参数 而不是仅仅将你的 SQL 连接在一起:
You need to use parameters instead of just concatenating together your SQL:
using (SqlConnection con = new SqlConnection(--your-connection-string--))
using (SqlCommand cmd = new SqlCommand(con))
{
string query = "SELECT distinct ha FROM app WHERE 1+1=2";
if (comboBox1.Text != "")
{
// add an expression with a parameter
query += " AND firma = @value1 ";
// add parameter and value to the SqlCommand
cmd.Parameters.Add("@value1", SqlDbType.VarChar, 100).Value = comboBox1.Text;
}
.... and so on for all the various parameters you want to add
cmd.CommandText = query;
con.Open();
using (SqlDataReader reader = cmd.ExecuteReader())
{
while(reader.Read())
{
// do something with reader -read values
}
reader.Close();
}
con.Close();
}
这篇关于如何将 SQL 查询重写为参数化查询?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
