如何解决安全漏洞问题CA2100审查SQL查询 [英] How can I fix CA2100 Review SQL queries for security vulnerabilities issue

问题描述

我分析我的代码，并得到这个安全问题：

CA2100查看SQL查询的安全漏洞传递到查询字符串的SqlDataAdapter .SqlDataAdapter（字符串，SqlConnection的）'在'Add_item.loadgrid（）可能包含以下变量的Login.dbName。如果这些变数可能来自用户的输入，可以考虑使用存储过程或参数化的SQL查询，而不是修建与字符串连接的查询。登录Add_item.cs 64

这是突出显示的代码：

  SqlDataAdapter的大=新的SqlDataAdapter（SELECT Newjob FROM [+ Login.dbName +] .newjob，连接康恩。）; 
  

解决方案

这就是通常所谓的SQL注入漏洞。不是将值转换为字符串并传递该字符串到SQL Server，你应该使用的SqlParameter对象。

I am analyzing my code and got this security issue:

CA2100 Review SQL queries for security vulnerabilities The query string passed to 'SqlDataAdapter.SqlDataAdapter(string, SqlConnection)' in 'Add_item.loadgrid()' could contain the following variables 'Login.dbName'. If any of these variables could come from user input, consider using a stored procedure or a parameterized SQL query instead of building the query with string concatenations. Login Add_item.cs 64

This is the highlighted code:

SqlDataAdapter da = new SqlDataAdapter("SELECT Newjob FROM [" + Login.dbName + "].newjob", connection. conn );

解决方案

This is what is commonly known as a SQL Injection vulnerability. Instead of concatenating values into a string and passing that string to the SQL Server, you should use sqlParameter objects.

这篇关于如何解决安全漏洞问题CA2100审查SQL查询的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！