避免SQL注入中使用的参数，如操作员的SQL查询？ [英] Avoiding SQL Injection in SQL query with Like Operator using parameters?

问题描述

接管一些code从我的predecessor，我发现使用Like运算符的查询：

Taking over some code from my predecessor and I found a query that uses the Like operator:

SELECT * FROM供应商 WHERE supplier_name像'％'+姓名+％;

SELECT * FROM suppliers WHERE supplier_name like '%'+name+%';

试图避免SQL注入问题和参数，但我不太清楚如何做到这一点来实现。有什么建议？

Trying to avoid SQL Injection problem and parameterize this but I am not quite sure how this would be accomplished. Any suggestions ?

请注意，我需要为经典的ADO.NET的解决方案 - 我真的没有反超到了喜欢的东西LINQ关掉这个code

note, I need a solution for classic ADO.NET - I don't really have the go-ahead to switch this code over to something like LINQ.

推荐答案

试试这个：

var query = "select * from foo where name like @searchterm";
using (var command = new SqlCommand(query, connection))
{
  command.Parameters.AddWithValue("@searchterm", String.Format("%{0}%", searchTerm));
  var result = command.ExecuteReader();
}

框架会自动处理引用问题。

the framework will automatically deal with the quoting issues.

这篇关于避免SQL注入中使用的参数，如操作员的SQL查询？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！