SQL注入的安全性 [英] Safety from SQL injection
本文介绍了SQL注入的安全性的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
SqlConnection con = new SqlConnection(ConfigurationManager.ConnectionStrings [techconn]。ToString());
SqlCommand com = new SqlCommand(select * from hs where ac between'+ TextBox1.Text +'and'+ TextBox2.Text +'and em ='+ DropDownList1.SelectedItem .Text.ToString()+',con);
DataTable dt = new DataTable();
con.Open();
SqlDataAdapter sqlDa = new SqlDataAdapter(com);
sqlDa.Fill(dt);
if(dt.Rows.Count> 0)
{
GridView1.DataSource = dt;
GridView1.DataBind();
}
else
{
GridView1.Visible = false;
}
con.Close();
这个代码对SQL注入是否安全?
我使用的是SQL Server 2008。
解决方案
总之,答案是否定的。您需要始终在查询中使用参数。
SqlCommand com = new SqlCommand(select * from hs where ac between @ ac1和@ ac2和em = @ em,con);
然后将参数添加到SqlCommand对象(com)。
SqlConnection con = new SqlConnection(ConfigurationManager.ConnectionStrings["techconn"].ToString());
SqlCommand com = new SqlCommand("select * from hs where ac between'" + TextBox1.Text + "'and '" + TextBox2.Text + "' and em='" + DropDownList1.SelectedItem.Text.ToString() + "'", con);
DataTable dt = new DataTable();
con.Open();
SqlDataAdapter sqlDa = new SqlDataAdapter(com);
sqlDa.Fill(dt);
if (dt.Rows.Count > 0)
{
GridView1.DataSource = dt;
GridView1.DataBind();
}
else
{
GridView1.Visible = false;
}
con.Close();
Is this code safe from SQL injection?
If not, please correct this code that it is safe from SQL injection.
I am using SQL Server 2008.
解决方案
In short, the answer is no. You need to always use parameters in your queries.
SqlCommand com = new SqlCommand("select * from hs where ac between @ac1 and @ac2 and em=@em", con);
You then add the parameters to your SqlCommand object (com).
这篇关于SQL注入的安全性的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文