哪些SQL查询是更安全的SQL注入方面 [英] Which sql query is more secure in terms of SQL injection
问题描述
我在这,我想用+1更新 SUP
和 OPP
值的两个SQL查询和-1分别查询被称为每次
I have two SQL queries in which I'm trying to update sup
and opp
values with +1 and -1 respectively each time the query is called.
第一次查询:
query=update disc set sup=@sup, opp=@opp where did=@did
int sup=getnoofsup(did);
int opp = getnoofopp(did);
com.Parameters.AddWithValue("@sup", sups + 1);
com.Parameters.AddWithValue("@opp", opps - 1);
com.Parameters.AddWithValue("@did", did);
com.ExecuteNonQuery();
第二个查询
Second query
string query="update disc set sup=sup+1, opp=opp-1 where did=@did" ;
com.Parameters.AddWithValue("@did", did);
com.ExecuteNonQuery();
有没有注射第二次查询任何威胁,因为我换 @sup
与 SUP + 1
?
推荐答案
没有中,第二查询是作为第一个作为安全的,因为它是完全参数化的,并且因此不存在通过该外部数据可以输入SQL查询本身的文本路径。在 SUP + 1
表达受RDBMS计算的,而不是由程序 * ,所以它不能提供一个机会注入新的代码插入到现有的SQL。
No, the second query is as secure as the first one, because it is fully parameterized, and therefore does not present a path through which an external data could enter the text of the SQL query itself. The sup+1
expression is calculated by the RDBMS, not by your program*, so it cannot present an opportunity to inject new code into the existing SQL.
* ,它不随后提交给SQL的 EXEC
重新演绎的存储过程。
* and it is not subsequently presented to SQL's exec
stored procedure for re-interpretation.
这篇关于哪些SQL查询是更安全的SQL注入方面的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!