实体框架和原始字符串查询 - 防止SQL注入 [英] Entity Framework and the raw string query - SQL injection prevention
本文介绍了实体框架和原始字符串查询 - 防止SQL注入的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
我使用EF 4执行字符串查询:
I execute a string query using EF 4:
string query = "SELECT * FROM Table WHERE ....";
[+ build WHERE clausule based on the user's input values]
db.ExecuteStoreQuery<TAble>(query).ToList();
我想知道如何防止SQL注入在taht WHERE clausule中的查询。任何想法?
I'm wondering how to prevent that query from SQL Injection in taht WHERE clausule. Any ideas ?
推荐答案
您需要使用参数化查询:
You need to use a parameterized query:
// Build where clause
var filters = new StringBuilder();
var parameters = new List<object>();
if (!string.IsNullOrEmpty(name))
{
if (filters.Length > 0)
filters.Append(" AND ");
filters.Append("name = @name");
var param = new SqlParameter("@name", SqlDbType.NVarChar);
param.Value = name;
parameters.Add(param);
}
...
// Build query
string query = "SELECT * FROM Table";
if (filters.Length > 0)
query = query + " WHERE " + filters;
// Execute
db.ExecuteStoreQuery<TAble>(query, parameters.ToArray()).ToList();
这篇关于实体框架和原始字符串查询 - 防止SQL注入的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文