如何参数化查询帮助抵御SQL注入？ [英] How do parameterized queries help against SQL injection?

问题描述

在这两个查询1和2，从文本框中的文本被插入到数据库中。什么是这里的参数化查询的意义是什么？

In both queries 1 and 2, the text from the textbox is inserted into the database. What's the significance of the parameterized query here?

1> -------------

1.>-------------

SqlCommand cmd = new SqlCommand("INSERT INTO dbo.Cars " +"VALUES(@TagNbr);" , conn);

cmd.Parameters.Add("@TagNbr", SqlDbType.Int);

cmd.Parameters["@TagNbr"].Value = txtTagNumber.Text;

2。> --------------

2.>--------------

int tagnumber = txtTagNumber.Text.ToInt16(); /* EDITED */

INSERT into Cars values(tagnumber.Text); /* then is it the same? */

另外，在这里我会用普通防爆pression验证停止插入非法字符。

Also, here I would use Regular Expression validation to stop insertion of illegal characters.

推荐答案

参数化查询执行之前运行SQL查询参数适当的替代。它完全消除脏的投入改变您的查询的含义的可能性。也就是说，如果输入包含SQL，它不能成为执行什么becase的在SQL从未注入所得语句的一部分。

Parameterized queries do proper substitution of arguments prior to running the SQL query. It completely removes the possibility of "dirty" input changing the meaning of your query. That is, if the input contains SQL, it can't become part of what is executed becase the SQL is never injected into the resulting statement.

这篇关于如何参数化查询帮助抵御SQL注入？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！