如何解决安全漏洞问题CA2100审查SQL查询 [英] How can I fix CA2100 Review SQL queries for security vulnerabilities issue
问题描述
我分析我的代码,并得到这个安全问题:
CA2100查看SQL查询的安全漏洞传递到查询字符串的SqlDataAdapter .SqlDataAdapter(字符串,SqlConnection的)'在'Add_item.loadgrid()可能包含以下变量的Login.dbName。如果这些变数可能来自用户的输入,可以考虑使用存储过程或参数化的SQL查询,而不是修建与字符串连接的查询。登录Add_item.cs 64
块引用>
这是突出显示的代码:
SqlDataAdapter的大=新的SqlDataAdapter(SELECT Newjob FROM [+ Login.dbName +] .newjob,连接康恩。);
解决方案这就是通常所谓的SQL注入漏洞。不是将值转换为字符串并传递该字符串到SQL Server,你应该使用的SqlParameter对象。
I am analyzing my code and got this security issue:
CA2100 Review SQL queries for security vulnerabilities The query string passed to 'SqlDataAdapter.SqlDataAdapter(string, SqlConnection)' in 'Add_item.loadgrid()' could contain the following variables 'Login.dbName'. If any of these variables could come from user input, consider using a stored procedure or a parameterized SQL query instead of building the query with string concatenations. Login Add_item.cs 64
This is the highlighted code:
SqlDataAdapter da = new SqlDataAdapter("SELECT Newjob FROM [" + Login.dbName + "].newjob", connection. conn );
解决方案This is what is commonly known as a SQL Injection vulnerability. Instead of concatenating values into a string and passing that string to the SQL Server, you should use sqlParameter objects.
这篇关于如何解决安全漏洞问题CA2100审查SQL查询的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!